Skip to main content

Researchers in Canada have shed new light on what appears to be a systematic attempt to infect and compromise computers belonging to journalists working in China - an attack that coincides with a security clampdown in the country as Beijing's Communist government celebrates its 60th anniversary.

Reporters working with foreign media outlets including Reuters, Dow Jones and Agence France-Presse began receiving e-mails last week from someone purporting to be each respective outlet's economics editor.

The e-mails, written in good English, detail a proposed trip to China for a story, and include an attached Adobe PDF file that contains a mostly accurate list of local contacts.

However, when opened, the file installs malware - software that infects the machine and often leaves it completely under the control of a remote user - on the user's computer.

The attacks coincide with reports of tighter security measures ahead of the 60th anniversary of the founding of the People's Republic of China, say Nart Villeneuve and Greg Walton, senior research fellows of the Citizen Lab at the University of Toronto's Munk Centre for International Studies. The researchers have written a report outlining the attack.

"It seems to me that the people involved in that - targeted malware attacks - generally prey on organizations that are related to some ongoing event," Mr. Villeneuve said, adding that the style of attack indicated a smart adversary, but not necessarily government involvement.

"In this kind of environment, with the 60th anniversary of the founding of the PRC coming up, it just seems to me that attacking media targets makes sense."

The malware has in some cases connected to a command and control server, Mr. Villeneuve said. However, researchers have not been able to decrypt the communication passing between the two ends.

While the researchers stress there is no conclusive evidence that Beijing is behind the attack, they added that there are several factors to support such a conclusion.

For example, the malware was e-mailed to Chinese assistants working for foreign news organizations Such assistants rarely have their names published, but must be hired through an arm of the Chinese foreign ministry.

"That looks very suspicious to me," said Ronald Deibert, director of the Citizen Lab.

Along with Mr. Villeneuve and Mr. Walton, Mr. Deibert was at the centre of an operation that uncovered "GhostNet," a network of more than 1,200 infected computers worldwide that included machines in embassies and ministries. In that case, the vast majority of attacks appeared to originate from China.

In the case of the attacks against journalists, the researchers have traced back the malware's IP address to two compromised servers, both located in Taiwan.

Ironically, one of those servers belongs to the National Central University of Taiwan - it is where students and faculty are directed to go to download anti-virus software.

Because there exist very few recognized international mechanisms for reporting and logging such attacks, Mr. Deibert said he had to contact Taiwanese authorities directly to notify them that key servers had been infiltrated.

"I think it's not appropriate for a researcher at the university to contact an ambassador here in Canada to let them know," Mr. Deibert said.

"But nonetheless it has to be done, and the reason is there is really no other obvious avenue for us to turn."

Interact with The Globe