The Chinese Digital Times (CDT) became the latest victim of phishing targeted against websites that report on issues sensitive to the government of the People’s Republic of China, according to a report from the news research group the Citizen Lab.
The report also found that other Chinese language sites—Mingjing News, Epoch Times, HK01, and Bowen Press—were targeted but not directly attacked. All of these websites are blocked in China because their reporting attempts to unmask government corruption. Although the attacks were conducted against websites focused on geopolitical issues related to China, the report could not conclusively attribute the hacking campaign to a particular group or state sponsor.
A journalist at the CDT first noticed the site was under attack upon receiving an email claiming to have a tip on a sensitive story. The email included a link to an article published on the site. When the journalist clicked on the link, what appeared to be the CDT website and a prompt designed to look like a WordPress login page would pop up.
Normally, the journalist would use the login to access the site, but this pop-up was designed to steal journalists’ usernames and passwords. To lure journalists in the trap, hackers created fake domain names and imitative websites that mimicked CDT perfectly, aside from a few lines of Java code.
The journalist who received this email became suspicious immediately and contacted The Citizen Lab. The subsequent investigation found that in addition to the phishing, a wider campaign had been launched against CDT using tactics like reconnaissance and malware to disrupt the site’s operations. Additionally, the attackers had expanded their field of vision, creating decoy websites for Mingjing News, Epoch Times, HK01, and Bowen Press that almost exactly copied the real sites.
The Citizen Lab also found that the infrastructure used in the campaign against CDT resembles previous malware operations targeting Tibetan journalists and the Thai government.
These attacks are not isolated to Chinese language websites. In the past few years, the New York Times, the Wall Street Journal, and the Washington Post, have reported that China-based operators have intruded upon their networks. In each incident, investigators suspected that the hackers were Chinese-government sponsored operators aiming to disrupt reporting on China-related issues.
The Citizen Lab found that the attacker on CDT have been mimicking Chinese-language news sites with fake domains and content as lures for phishing operations since at least 2015. The phishing campaign against CDT lasted 20 days, and during that period, hackers identified vulnerabilities in the site’s security and built a decoy to discredit the real website.
Since this campaign has been uncovered, The Citizen Lab predicts the hacker group has moved on to another news site that is not prepared for an attack.