A new report from the University of Toronto’s Citizen Lab describes an unsuccessful phishing campaign against CDT in February, and other attacks on China-focused news sites that researchers subsequently uncovered. From Jakub Dalek, Geoffrey Alexander, Masashi Crete-Nishihata, and Matt Brooks:
On February 12, 2017, a CDT staff member received an email from a person claiming to be a UC Berkeley student with “insider information” on claims made by 郭云贵 (Guo Yungui) on “hacker attacks” against the Chinese language news site Mingjing. The characters 郭云贵 (Guo Yungui) appears to be a slight variation of Guo Wengui (郭文贵), a Chinese billionaire who has gained notoriety after voicing allegations that high ranking officials in the Communist Party of China are engaged in corruption. […]
[…] Three days later, the staff member received another email offering insider information on the Mingjing attacks. This email included a link that, at first glance, appeared to be the domain of China Digital Times, but with a slight misspelling. Instead of chinadigitaltimes.net the link sent was chinadagitaltimes[.]net with an added ‘a’ instead of an ‘i’ in the word digital. A day after this email was sent, other staff members at CDT received similar emails with the same link (see below).
[…] While the tactics used in these campaigns are technically simple, the operators demonstrate patience and persistence. They have been using content and domains mimicking Chinese- language news sites as lures since at least 2015, and appear to carefully move from one target to another. The phishing campaign against China Digital Times was stood up and taken down in the span of 20 days. In this period, the operators scanned the CDT site for vulnerabilities, registered a lookalike domain, created a fake CDT decoy site, and sent the group a wave of customized phishing emails. […]
The news sites used for lures and targeting in the operation all report on topics seen as politically sensitive by the government of China, and follow a general pattern of news organizations reporting on China being targeted by digital espionage. While there are connections between these targets and the geopolitical concerns of the Chinese government we cannot conclusively attribute this operation to a state sponsor. […] [Source]
The Citizen Lab’s founder Ron Deibert commented in a separate blog post:
Every day we hear warnings not to open attachments, click on links, or enter our credentials into websites that do not look trustworthy. But what if they do look legit? How do we tell?
Our latest report shows not only the lengths to which an espionage operation will go to fool users, but it also provides a good example of how difficult it may be for the average user to discern one from the other.
[…] I expect we will see more cases such as these in which legitimate news sites are doctored and manipulated to push disinformation or facilitate cyber espionage. With each of us bombarded with data from social media on a daily basis, discerning “fake” from “real” or “malicious” from “benign” will become more ever more challenging and time-consuming. Cases such as these illustrate the importance of educating users, especially those working in high-risk areas such as investigative journalism, about the importance of integrating information security and digital hygiene into their daily routines. [Source]
CDT thanks the Citizen Lab for its investigation and assistance in responding to the attack. Read more about the organization’s China-related work via CDT.