Hackers Get Personal With Bespoke Malware Attacks

Just before Christmas, two staff members at the Electronic Frontier Foundation received e-mails that contained links they were fortunate not to click. Under the subject line “Oxfam Conference,” the message from someone named Andrew Oxfam appeared to contain an invitation and meeting information. At a glance, it would seem to be related to the antipoverty organization Oxfam International.

Instead, a click on links in the e-mails would have downloaded malicious software and enslaved the target computer to a command server used in attacks related to Vietnam, a country whose Internet censorship the EFF has criticized. “This marks the first time we have detected a targeted malware attack against our organization by what appear to be state-aligned actors,” the San Francisco-based EFF said in a new report about attacks on itself and others that have worked on Vietnamese issues.

Hackers involved in these attacks have custom-tailored their malicious bait to fit the interests of their targets, which included a Vietnamese mathematician, a journalist, and a Vietnamese pro-democracy activist. The malware received by the EFF employees was also sent to a Vietnam-based Associated Press journalist, but with a different lure. In that case, the report said, the malicious link was disguised as a Human Rights Watch paper about Vietnam.

The EFF report was written by Eva Galperin, a global policy analyst at EFF, and malware expert Morgan Marquis-Boire, the researcher who in 2012 used malware samples obtained by Bloomberg News to show that Bahraini activists had been targeted by FinSpy, a product marketed to governments for the purpose of secretly taking over computers and phones.

In the new report, the researchers poked fun at themselves to make their point that the tailored nature of the attacks “demonstrates some understanding of what motivates activists.”

“Just as journalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open documents pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences,” they wrote. “For greater verisimilitude,” the activist researchers deadpanned, “the attacker should have included an offer to pay for flights and hotels.”