Actu
Arbor Networks Research Highlights Advanced Persistent Threat Campaign Targeting Journalists and Human Rights Workers in Tibet, Hong Kong and Taiwan
April 2016 by Marc Jacob
Arbor Networks Inc., the security division of NETSCOUT released a new Threat Intelligence Report from Arbor’s Security Engineering & Response Team (ASERT) that reveals recent ongoing Advanced Persistent Threat (APT) activity likely associated with long-running threat campaigns against members of the Tibetan community, along with journalists and human rights workers in Hong Kong and Taiwan.
A tool to exploit the victims, dubbed the Four Element Sword Builder, is being used to weaponise Microsoft Office documents for use in these campaigns. A sample of twelve different targeted exploitation incidents (taken from a larger set of activity) is described in the threat brief along with newly discovered connections to previously documented threat campaigns.
This recent activity uncovered by ASERT matches pre-existing targeting patterns towards the “Five Poisons” – organisations and individuals associated with perceived threats to Chinese government rule: Uyghurs, Tibetans, Falun Gong, members of the democracy movement and advocates for an independent Taiwan. This targeting scheme, along with various malware artefacts and associated metadata, suggest that the threat actors herein have a Chinese nexus.
Arbor’s goal is to provide insight that enables customers, network operators, Computer Emergency Response Teams (CERTs), forensic and policy analysts, law enforcement and the broader public to understand not only the larger context surrounding dangerous targeted exploitation campaigns, but to also enable efficient incident response and mitigations designed to keep threat actors at bay. In addition, this report can serve to further educate strategic decision makers who are dealing with global threats.
