are always warmly welcome -

Monday, March 30, 2009

The snooping dragon: social-malware surveillance of the Tibetan movement

30 Mar 2009

Computer Laboratory, University of Cambridge, Cambridge, UK

"Computer Laboratory: Technical reports: UCAM-CL-TR-746
The snooping dragon: social-malware surveillance of the Tibetan movement
Shishir Nagaraja, Ross Anderson
March 2009, 12 pages.
In this note we document a case of malware-based electronic surveillance of a political organisation by the agents of a nation state. While malware attacks are not new, two aspects of this case make it worth serious study. First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed. Second, the modus operandi combined social phishing with high-grade malware. This combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective. Few organisations outside the defence and intelligence sector could withstand such an attack, and although this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual. This report is therefore of importance not just to companies who may attract the attention of government agencies, but to all organisations. As social-malware attacks spread, they are bound to target people such as accounts-payable and payroll staff who use computers to make payments. Prevention will be hard. The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge. Full text PDF (0.3 MB)"

"Email attachments appear to have been the favoured strategy to deliver malicious pay-loads. This worked because the attackers took the trouble to write emails that appeared to come from fellow Tibetans and indeed from co-workers. The use of carefully-written email lures based on social context to get people to visit bogus websites has been called 'social phishing'; in this incident, such email was used to spread malware and we therefore call this strategy social malware. [...]
In this note we described how agents of the Chinese government compromised the computing infrastructure of the Office of His Holiness the Dalai Lama. They used social phishing to install rootkits on a number of machines and then downloaded sensitive data. People in Tibet may have died as a result. The compromise was detected and dealt with, but its implications are sobering. It shows how diffcult it is to defend sensitive information against an opponent who uses social engineering techniques to install malware.
[...] Although the attack we describe in this case study came from a major government, the techniques their agents used are available even to private individuals and are quite shockingly effective. In fact, neither of the two authors is confident that we could keep secrets on a network-connected machine that we used for our daily work in the face of determined interest from a capable motivated opponent. The necessary restrictions on online activity would not be consistent with effective academic work. [...]."

Site contents:
1. Introduction; 2. Attacks on the Dalai Lama's Private Office (2.1 The attack vector, 2.2 The payload, 2.3 The attackers' operational security) 3. Analysis and Countermeasures (3.1 Countermeasures for NGOs, 3.2 Countermeasures for companies); 4. Conclusions.

[See also a recent newspaper article: Christian Science Monitor,
Cyber spy network with global reach raises alarms. By Tom A. Peter, posted March 29, 2009.
A group of hackers based almost exclusively in China has hacked into 1,295 computers in 103 countries. Canadian researchers at the University of Toronto revealed that cyber spies infiltrated systems in foreign ministries, embassies, international organizations, [...]. Thirty percent of the targeted computers could be considered "high-value" targets. [...] - ed.]


Internet Archive ( [the report was not archived at the time of this abstract]

Link reported by: T. Matthew Ciolek (

* Resource type [news - documents - study - corporate info. - online guide]:
* Publisher [academic - business - government - library/museum - NGO - other]:
* Scholarly usefulness [essential - v.useful - useful - interesting - marginal]:
* External links to the resource [over 3,000 - under 3,000 - under 1,000
- under 300 - under 100 - under 30]: under 100

Please note that the above details were correct on the day this post was published. To suggest an update, please email the site's editor at