China Launches Watering Hole Attacks on Political Dissidents

China is said to be using a new watering hole attack technique to monitor political dissidents, including those running VPNs and Tor to bypass the Great Firewall.

AlienVault’s chief scientist, Jaime Blasco, has uncovered that the attack exploits JSONP hijacking to track users in China, especially via NGO, Uyghur and Islamic websites—groups that the central government has targeted since at least October 2013. The goal appears to be data exfiltration, which can be used to track down, censor or even jail those that disagree with the country’s authoritarian government.

“Imagine if an authoritarian state had a tool to get private information about users visiting certain websites, including real names, cookies, mail addresses, sex, birthdays, phone numbers, etc.,” Blasco said in his research. “Imagine that even users that run TOR or VPN connections to bypass the tools that the authoritarian government uses to block and monitor these websites were exposed to this technique.”

The attack uses a novel technique that hasn’t been seen before with watering hole attacks. Typically, attackers compromise websites used by a targeted group to serve malicious content when users access those affected websites. Typically, attackers gain access to a victim’s system by including an iFrame or JavaScript file from a malicious server to exploit a vulnerability in Internet Explorer, Java or Flash. Sometimes, the attackers use reconnaissance techniques to extract information about software installed on a victim’s machine, or use a JavaScript keylogger to steal credentials.

In this case, the attackers compromise several Chinese-language websites associated with NGOs, Uyghur communities and Islamic associations. They then modify the content of the website and include a JavaScript file from a malicious server. The JavaScript file exploits JSONP hijacking vulnerabilities in more than 15 different Chinese websites, including the top five portals used in China, like Baidu and Taobao, which serve millions of users per day.

Using JSONP requests, the attackers are able to bypass cross-domain policies and collect a user’s private information if the user is logged in to one of the affected services. The JavaScript code then sends the user’s private data collected to an attacker-controlled server.

“JSONP is a widely used technique to make cross-domain JavaScript requests that bypass the same-origin policy,” Blasco explained. “However, bypassing the same-origin policy can lead to information leakage between different origins or domains. This is especially dangerous when JSONP contains user data. Since JSONP requests/responses bypass the same-origin policy, malicious sites can cause victims to make cross-domain JSONP requests and read the private data using the ‘script’ tag.”

Since there is no financial gain on collecting most of the leaked personal data, it’s very likely that whoever is behind these attacks is looking to reveal the identity of the users visiting certain websites. Some of the affected websites are hosted outside of China, web pages belonging to organizations that campaign against the Communist Party, that promote Tibetan and Uyghur causes or independence for Taiwan, as well as sites belonging to the banned religious organization Falun Gong.

“Now imagine that the Chinese government wants to know the real identities of individuals visiting certain websites that are sympathetic to certain causes, people who are exiled, or specific people living abroad even when they use TOR or VPNs,” Blasco said. “In the scenario we have described, this is a reality and has been happening since 2013. Even if the only data the attackers can obtain is a user ID for a specific website, this information can be used to pinpoint targets for espionage within the Great Firewall.”

The websites should fix the JSONP Hijacking vulnerabilities, and users should be vigilant and follow best practices when browsing the web. For example, do not browse sensitive websites after logging into another website—even in a different tab or window.

This is the third effort that researchers have identified on the part of China to use cyber techniques to menace dissidents. China’s government last Wednesday cracked down on users running VPNs to bypass the Great Firewall. And in April, news broke of China’s Great Cannon, a censorship-focused DDoS tool targeting The New York Times, Chinese Edition and GitHub. 

What’s Hot on Infosecurity Magazine?