I’ve been following reporting on the discovery of a new botnet in Vietnam with interest. McAfee and Google both posted information on the botnet on Tuesday the 30th, and the Wall Street Journal, Washington Post and New York Times all ran pieces on the phenomenon yesterday. Collectively, they offer an insight in just how difficult it is to report about internet abuse, hacking and “cyberwar”.
George Kurtz, CTO of McAfee, offered the most detailed technical report. McAfee has been investigating “Operation Aurora“, the attack on Google and other US companies that provoked Google to discontinue its google.cn search engine and redirect Chinese users to their uncensored Hong Kong engine. In the course of investigating these attacks, Kurtz reports that they discovered an apparently unrelated and unconnected botnet controlled by computers in Vietnam and apparently spread via a Vietnamese-language keyboard driver.
Vietnamese is a language that uses a complex set of diacritic marks to distinguish between characters and signify tone. To type in Vietnamese, you need a keyboard driver that can associate certain key combinations with the appropriate Unicode characters. Many Vietnamese speakers use VPSKeys, a driver that’s been distributed by the Vietnamese Professional Society, a group dedicated to connecting Vietnamese professionals in the diaspora. According to Kurtz, the Windows driver distributed by VPS has been compromised – if you download and install it, you’ll end up installing a rich set of trojan horse programs that will hijack your machine and enlist it in a botnet that appears to be controlled from within Vietnam.
Kurtz is clear that he doesn’t think VPS is intentionally distributing malware. Instead, “We believe that the perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam.” Writing for Google’s security team, Neel Mehta goes further: “These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.”
Mehta’s statement helped me figure something out that’s troubled me for a couple of years now. I’ve been fortunate enough to work with Vietnamese activists and dissidents in the US, and am aware of sophisticated attacks on people who’ve attracted the attention of the security forces. Some of these attacks have suceeded in accessing encrypted texts, including a text encrypted with PGP. We suspected that security forces weren’t breaking PGP (duh), but had physically accessed people’s computers (quite common in Vietnam), copied PGP private keyrings and installed keyloggers that captured users passphrases. I’m now inclined to think that the attack might have been much simpler – had someone compromised an earlier version of a Vietnamese-language keyboard driver, they could have easily inserted keylogging code and routines that sought out PGP keyrings.
Both the Washington Post and Wall Street Journal connect the Vietnam attacks to silencing political dissent about a Chinese mining project in Vietnam. There’s good circumstantial evidence for this – bauxitevietnam.info has been attacked in the past and blogger Nguyen Ngoc Nhu Quynh – aka Me Nam – was arrested last year in conjunction with her activities in opposition to the mine.
But it seems possible to me that what’s going on is more complex and sinister than just a denial of service attack. There’s no particular reason to harness the computers of Vietnamese-speaking users to launch a DDoS attack – there are existing, robust botnets that can be rented to attack whatever site you’d like. (I suppose a botnet built of Vietnam-based and diasporan users would be particularly effective at targeting targets within Vietnam… but bauxitevietnam.info was registered to a group in Hong Kong and there’s no reason to believe dissidents would be foolish enough to host an anti-government site within Vietnam.) But being able to intercept communications from anyone writing in Vietnamese and search for key phrases like “Kh?i 8406” would be a dream for a government with a long track record of tracking and harassing dissenters.
Here’s the problem – it’s almost impossible to know what’s actually going on. The ability to log user keystrokes isn’t just helpful for repressive governments – it’s a terrific tool for stealing banking passwords or other sensitive information. The Vietnam trojan could have been ordered by a government department, outsourced to private hackers to build and deploy… or engineered by enterprising criminals who saw an opportunity to infect a set of users through a vulnerability in VPS’s server… or created by a group of nationalist Vietnamese hackers operating independently of the government… and so on.
What’s scary about “cyberwar” – as far as I’m concerned – isn’t nightmare scenarios of nations shutting down each other’s electrical grids as a “force multiplier”. (This excellent oped from Marcus Ranum points out that some of these fears are a function of sloppy reporting and thinking that blurs the lines between hacking as prank, as crime and as military attack.) It’s the difficulty of figuring out whether a particular incident should be thought of as criminal or political activity. What’s appropriate response to state-led political/military actions (censure, sanction, etc.) is useless if the attack was criminal in nature, and vice versa.
Obviously, governments who decided to engage in cyberattacks would do their best to disguise them as criminal activity. This example suggests to me just how effective this disguise can be – as much as I worry about the government of Vietnam’s human rights record, it’s not hard for me to spin a scenario where this is a criminal attack, not a state-based one.
Hope that McAfee and others will release more information as they learn about the details of the trojan. If this turns out to be explicitly designed to spy on communications, it will be a fascinating development in the world of internet surveillance.