Google's Dissident CyberWoes, Vietnam Edition

♠ Posted by Emmanuel in , at 3/31/2010 11:56:00 PM
What is the deal with Google and authoritarian regimes in Asia concerning dissidents, anyway? This time around, we have intrusions noted on the privacy of those protesting the involvement of Chinese steel producer Chinalco mining bauxite in Vietnam. In this version of events, we are not concerned with Tibetan activists and the like, but with environmental and social concerns (with a side helping of Sinophobia). Especially given the sizeable Vietnamese diaspora arising from the fall of Saigon, this issue has international dimensions. Let us begin with the Google Online Security blog:
Perhaps unsurprisingly, these [China incidents] are not the only examples of malicious software being used for political ends. We have gathered information about a separate cyber threat that was less sophisticated but that nonetheless was employed against another community.

This particular malware broadly targeted Vietnamese computer users around the world. The malware infected the computers of potentially tens of thousands of users who downloaded Vietnamese keyboard language software and possibly other legitimate software that was altered to infect users. While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.
So, once more, Google seems to be implicating the Vietnamese government in the spread of this malware that not only fouls computer operation but also launches denial of service attacks on dissidents' websites. Meanwhile, the antivirus vendor McAfee goes one further in implicating the Vietnamese government:
By now, you may have seen the Google blog post talking about the targeted attacks against the computers of Vietnamese speakers and others. The botnet, which McAfee identified while investigating Operation Aurora [see McAfee's description of Operation Aurora], has commandeered these computers in what appears to be a politically motivated attack. McAfee has been sharing the results of its investigation with Google as it unfolded.

Attackers created the botnet by targeting Vietnamese speakers with malware that was disguised as software that allows Windows to support the Vietnamese language. The keyboard driver known as VPSKeys is popular with Vietnamese Windows users and is needed to be able to insert accents at the appropriate locations when using Windows. The bot code masquerading as a keyboard driver finds its way onto computers that, once infected, join a botnet with command and control systems located around the globe that are accessed predominantly from IP addresses inside Vietnam.

We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks. While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related. The bot code is much less sophisticated than the Operation Aurora attacks. It is common bot code that could use infected machines to launch distributed denial of service attacks, monitor activity on compromised systems and for other nefarious purposes.

We believe the attackers first compromised, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse. The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead.

The rogue keyboard driver, dubbed W32/VulcanBot by McAfee, connected the infected machines to a network of compromised computers. During our investigation into the botnet we found about a dozen command and control systems for the network of hijacked PCs. The command and control servers were predominantly being accessed from IP addresses in Vietnam...

This incident underscores that not every attack is motivated by data theft or money. This is likely the latest example of hacktivism and politically motivated cyberattacks, which are on the rise and a topic we at McAfee have often discussed in our publications. In an excellent paper on Cybercrime and Hacktivism published this month, Researcher Francois Paget discusses the topic at length. It is also covered in our most recent Quarterly Threat Report.
I'm currently having a read of the aforementioned report on Cybercrime and Hacktivism. All the same, the activities McAfee describes appear tactically sophisticated even if they may not be as technologically sophisticated as the purported China incidents if you follow the chain of events described above. Can the Vietnamese authorities really know the vulnerabilities of international Vietnamese users so well? In the sense of being internationally targeted, this effort--whoever the perpetrator may be--certainly isn't a mug's game.

Meanwhile, this is the second time Google has suggested that an Asian government stands to gain from the use of cyberattacks. While Google has not really produced the goods on possible PRC-sponsored involvement in the China incident, it has not hesitated to do so again with Vietnam. All I can say, Google, is show us the cybercrime. If you have the goods, then do so. Otherwise, I think some circumspection is in order. After all, Google services weren't directly attacked in the latter incident.