The Social Graph of Malware

In a study and report The snooping dragon: social-malware surveillance of the Tibetan movement, by Shishir Nagaraja (now at the University of Illinois) and Ross Anderson, which is a University of Cambridge Computer Laboratory report, you can read about attacks conducted on the Tibetan exile community and their supporters.

Nagaraja and Anderson conclude that the malware-based attacks came from “the intelligence services of a major country” (China), but this is a hard thing to prove. The evidence is circumstantial. Attacks on computers in the “Office of His Holiness the Dalai Lama” [OHHDL] in Dharamsala, India, and servers they use, came from within China, but a smart attacker from elsewhere could compromise Chinese computers and then use them to attack. In fact, there were some related attacks that came from computers used by sources that themselves were under attack (politically) by the Chinese government (read the report). And the attacks were only moderately sophisticated and left traces – an attacker from a national security service would be expected to leave no trace – and yet these attackers did.

Here is the abstract from the report:

In this note we document a case of malware-based electronic surveillance of a
political organisation by the agents of a nation state. While malware attacks are not
new, two aspects of this case make it worth serious study. First, it was a targeted
surveillance attack designed to collect actionable intelligence for use by the police
and security services of a repressive state, with potentially fatal consequences for
those exposed. Second, the modus operandi combined social phishing with high-
grade malware. This combination of well-written malware with well-designed email
lures, which we call social malware, is devastatingly effective. Few organisations
outside the defence and intelligence sector could withstand such an attack, and al-
though this particular case involved the agents of a ma jor power, the attack could in
fact have been mounted by a capable motivated individual. This report is therefore
of importance not just to companies who may attract the attention of government
agencies, but to all organisations. As social-malware attacks spread, they are bound
to target people such as accounts-payable and payroll staff who use computers to
make payments. Prevention will be hard. The traditional defence against social
malware in government agencies involves expensive and intrusive measures that
range from mandatory access controls to tiresome operational security procedures.
These will not be sustainable in the economy as a whole. Evolving practical low-cost
defences against social-malware attacks will be a real challenge.

And a key excerpt:

Email attachments appear to have been the favoured strategy to deliver malicious payloads. This worked because the attackers took the trouble to write emails that appeared to come from fellow Tibetans and indeed from co-workers.

And another:

Then there’s the hardest part – operational security. How do you train your staff so that they won’t fall prey to social engineering attacks? An old NSA security manual that fell into the public domain in the early 1990s gives some insight of the lengths that the agencies go to to prevent hostile agencies targeting their staff^[1].

---

[1] The NSA Security Manual, at http://www.cl.cam.ac.uk/~rja14/Papers/nsaman.pdf