Digital attacks on China critics intensify, says cybersecurity firm

The group behind the so-called Scarlet Mimic malware campaign that has traditionally targeted Tibetan and Uyghur groups are using more sophisticated tools and going after new targets, according to Palo Alto Networks.

A shadowy hacker group with suspected ties to the Chinese government has increased its attacks on human rights groups and is even targeting the Russian spy agency, according to a report released Monday.

The cybersecurity company Palo Alto Networks noticed a recent upswing in activity in a four-year-old malware campaign dubbed "Scarlet Mimic," a reference to the program attackers use to imitate legitimate software, designed to steal location data and sensitive communications from targeted computers.

While the attackers mostly target organizations that support the rights of Tibetan and Uyghur minorities, the unknown group behind the campaign appears to be targeting the Russian Federal Security Service and Indian government organizations with targeted phishing attacks.

Palo Alto doesn't have specific proof linking the attacks to elements in the Chinese government or military, but the firm says the hackers' behavior and the profiles of the victims suggest China is either officially or unofficially involved in the malware campaign.

"We do believe there is a government behind this," says Ryan Olson, director of threat intelligence at Palo Alto's Unit 42 research team. "But we don’t have any evidence linking China" directly to Scarlet Mimic, he said.

Over the past year, China has been blamed for a string of massive data breaches and hacks in the US, from the Office of Personnel Management incursion to the Anthem data breach. But for years, civil society and rights groups such as the World Uyghur Congress and Tibetan Alliance of Chicago have complained they are under constant digital surveillance and attack from Chinese agencies. 

For instance, in 2012, the cybersecurity firm FireEye described how Tibetan activists – ranging from personal envoys of the Dalai Lama to students in San Francisco – were victims of near daily cyberattacks.

Mr. Olson said the firm is publishing data about the increase in attacks in hopes it will expose hackers' techniques and enable likely targets to effectively boost security. "Our main goal in publishing this info is to expose these attack tools and infrastructure and to make them redevelop everything."

In addition to targeting Windows systems, the group behind Scarlet Mimic have recently started using malware to infect Android and Apple’s Mac OS X operating systems. 

In most cases, the attackers use spear-phishing e-mails with a malicious attachment to compromise the systems of targeted individuals. People who open the attachments inadvertently download a malware tool that takes advantage of a variant of a previously known vulnerability in Windows, dubbed FakeM, to infect their systems.

One of the decoy images that Palo Alto recovered included an image comparing Russian President Vladimir Putin to Adolf Hitler.