The recent increase in attention given to cyber security is thanks in no small measures to the works published by Information Warfare Monitor and Shadowserver Foundation titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0” as well as the earlier report titled “Tracking GhostNet: Investigating a Cyber Espionage Network“. Both detail the existence of cyber espionage operations targeted against Tibetan and Indian officials and institutions, allegedly run by the Chinese. If you haven’t read these reports yet, you should.
There is enough content in these reports to provide fodder for several posts at Vyuha ranging from technical discussions on how the espionage network was run to more higher level “what have we learnt” ones. This post looks at one of the factors that allowed this episode to play out – the effectiveness of the malware attacks that were used to set the exfiltration network up.
The reports identify that the attackers used Microsoft Office (DOC, XLS, PPT) and PDF files to deliver their malwares and that the information acquisition phase before the delivery must have been involved and meticulous.
What is surprising and frustrating about the whole attack is that while the malwares were delivered using targeted effictiveness, there is no proof that they exploited any 0-day vulnerabilities in the applications and hence could have been caught and prevented from wrecking havoc on target machines. Why were the vulnerable applications not patched? Did the targeted machines have protective mechanisms in place like updated anti-virus or HIPS software installed on it? If not, why were they not? Given the fact that the information leaked from the documents exfiltrated were of sensitive nature, it can be assumed that the people operating those machines had specific clearance. Why were their working environment not secured enough? In addition were network based Intrusion Prevention/Detections Systems installed on these networks and if so, why were they not effective in preventing or even detecting these attacks?
A lot of questions with few answers. But then that has been the case with all the questions raised by the public about this incident.