“A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor,” said Kurt Baumgartner in a Kaspersky Lab Securelist blog. This is a typical water hole attack, where a site of interest is hacked, and visitors compromised. In general, water hole attacks are ‘targeted’ solely by the nature of the compromised website. In this instance, however, only the Chinese language version is used – the English and Tibetan language versions remain clean.
The site has been compromised with an iFrame that redirects visitors to a Java exploit (technically, “the 212kb ‘YPVo.jar’, which archives, drops and executes the backdoor as well.”) That backdoor has been “detected as "Trojan.Win32.Swisyn.cyxf" says Baumgartner. “Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.” He also notes, however, “The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect.”
Baumgartner believes that the attacker is the same person or group that has been attacking Tibetan separatists and sites, through both waterhole and spear phishing, since at least 2011. In this current attack, he believes that only a few systems in the US and China have been attacked, “but there could be more.”
The Dalai Lama is the spiritual leader of Tibet, and indeed all buddhists throughout the world. He fled Tibet in 1959 after a failed uprising against the occupying Chinese, and established a ‘government in exile’ in India. A comment from 1975 explains why the Chinese authorities might consider him to be a continuing threat: “We, the Tibetans in the free world, keeping our stand in conformity with the thinking of the masses of Tibet, will never stop our movement for the independence of Tibet.”
Graham Cluley points out that in a water hole attack, “The hackers may not actually be that interested in stealing information from your website and its servers, but may be much keener to spy upon and exploit the computers which visit it.” In this instance, Chinese speaking supporters of the Dalai Lama.
Cluley goes on to stress the “importance of keeping web servers, and the software running on them, up-to-date with security patches to lessen the chances of hackers being capable of embedding malicious code.” And of course all web surfers should keep their own systems fully-patched with both the latest browser and up-to-date anti-virus systems to protect themselves on the internet.