As encryption has become more prevalent in online communications as a countermeasure against surveillance, attackers have sought to circumvent these measures by covertly installing malware on targeted computers that can log keystrokes, remotely spy on users with their own webcams, record Skype calls, and listen in on the computer’s built-in microphone. Sometimes the attacker is a criminal, such as the hacker who used a remote access tool (RAT) to take blackmail photos of Miss Teen USA. Sometimes the attacker is acting in support of a state, like the pro-Assad hackers whose malware campaigns against opposition supporters EFF has been tracking for the last two years. Sometimes the attacker is the government or a law enforcement agency. For example, the NSA’s Tailored Access Operations unit uses covertly-installed malware to spy on targets.
Malware is a tool that most states have their toolbox, and Vietnam is no exception. For the last several years, the communist government of Vietnam has used malware and RATs to spy on journalists, activists, dissidents, and bloggers, while it cracks down on dissent. Vietnam’s Internet spying campaign dates back to at least March 2010, when engineers at Google discovered malware broadly targeting Vietnamese computer users. The infected machines were used to spy on their owners as well as participating in DDoS attacks against dissident websites. The Vietnamese government has cracked down sharply on anti-government bloggers, who represent the country’s only independent press. It is currently holding 18 bloggers and journalists, 14 from a year earlier, according to a report issued by the Committee to Protect Journalists in 2013.
EFF has written extensively about the worsening situation for bloggers in Vietnam, supporting campaigns to free high-profile bloggers such as Le Quoc Quan and Dieu Cay, and criticizingVietnam’s Internet censorship bill. This report will analyze malware targeting EFF’s own staff, as well as a well-known Vietnamese mathematician, a Vietnamese pro-democracy activist, and a Vietnam-based journalist at the Associated Press.
A Campaign Targeting EFF and Associated Press
We will begin with the attack targeting EFF staffers. This marks the first time we have detected a targeted malware attack against our organization by what appear to be state-aligned actors.
On December 20th, 2013, two EFF staffers received an email from “Andrew Oxfam,” inviting them to an “Asia Conference,” and inviting them to click on a pair of links which were supposed to contain information about the conference and the invitation itself. These links were especially suspicious because they were not hosted on Oxfam’s domain, but instead directed the invitee to a page hosted on Google Drive, seen below. In addition, this email contained two attachments purporting to be invitations to the conference.