Chinese Hackers Spread Fake Chinese-Hacker Report
Chinese airmen during a full-military-honors arrivals ceremony at the ministry of defense in Beijing in July 2000.
CREDIT: Linda D. Kozaryn/U.S. Department of Defense
Whenever there's a good news story, an online criminal is bound to try to exploit it.
So it is with Mandiant's bombshell report Tuesday (Feb. 19), which drew a clear line between attacks on Western companies and the Chinese military, and made the front page of The New York Times.
Two different fake versions of the Mandiant report were spotted today, each of which tries to infect the reader with malware. One has links to previous attacks on Tibetan dissidents, presumably carried out by Chinese state-sponsored hackers.
Symantec's Joji Hamada reported that an email showed up bearing a PDF attachment purporting to be a Japanese-language version of the report.
"Like in many targeted attacks, the email is sent from a free email account and the content of the email uses subpar language," Hamada wrote. "It is obvious to a typical Japanese person reading the email that it was not written by a native speaker."
When opened, the PDF triggers a sophisticated Adobe Reader exploit discovered last week and patched by Adobe yesterday. That exploit opens up the door to all sorts of malware infections, but, surprisingly, nothing is installed.
"Could the Comment Crew [the Chinese group singled out in Mandiant's report] be playing a prank in response to the publication or did someone just make another careless mistake in performing the attack as is the case for so many of these targeted attacks?" Hamada wondered. "The truth is we don't know."
Shortly after Hamada posted Symantec's findings, 9b+ security researcher Brandon Dixon said he'd found a different fake Mandiant report, this one in English and apparently coming from India.
Dixon's fake PDF exploited an older flaw in Adobe Reader, dating from 2011, and installed malware that tried to connect to a server previously used in attacks on Tibetan dissidents.
The real Mandiant report was less noteworthy for what it said — it's not news that Chinese hackers have been attacking Western targets — than for how it said it.
Mandiant researchers traced one of the most notorious Chinese hacking crews, the Comment Group or Comment Crew, to a nondescript building on the outskirts of Shanghai staffed by a special unit of China's People's Liberation Army.
Mandiant didn't make an airtight case, but it built up a solid mass of evidence and pretty well ruled out most other possibilities. That's about as good as it gets when hackers can hide behind proxy servers and hijacked websites.
The Chinese government strenuously denies the allegations.