* Expert says may be effort to spy on human rights experts
* Hackers use two-stage campaign known as "water hole" attack
* They exploit Java bug to infect Windows PCs, Macs
By Jim Finkle
BOSTON, Aug 12 A prominent computer security firm warned that the Dalai Lama's Chinese-language website has been hacked and is infecting visitors' computers with viruses in what may to be an effort to spy on human rights activists who frequently visit the site.
Kaspersky Lab researcher Kurt Baumgartner told Reuters on Monday that he is advising web surfers to stay away from the Chinese-language site of the Central Tibetan Administration, or CTA, until the organization fixes the bug. He described the attack on his company's blog:
Technical evidence suggests the group behind the campaign was also responsible for previous breaches on that site as well as attacks on groups that focus on human rights in Asia, Baumgartner said.
Those breaches involved a two-stage attack technique known as "water holing," where hackers first infect a site that is frequently visited by people whose computers they want to control. That compromised site automatically seeks to infect the PCs of all visitors, downloading malicious software that the hackers can use to take control of their computers.
Officials with the Office of Tibet in New York could not be reached for comment. That office is the official representative to the United States for the Dalai Lama, Tibet's 78-year-old exiled spiritual leader, who fled China to India in 1959 after an abortive uprising against Chinese rule.
Beijing considers the globe-trotting monk and author a violent separatist and Chinese state media routinely vilify him. The Dalai Lama, who is based in India, says he is merely seeking greater autonomy for his Himalayan homeland.
Baumgartner said that the Chinese-language site of the Central Tibetan Administration, which is the official organ of the Dali Lama's government in exile, has been under constant attack from the same group of hackers since 2011, though breaches have been quietly identified and repaired before garnering significant attention.
SAME GROUP OF ATTACKERS
"They have been trying repeatedly to find vulnerabilities in the site," he said.
He said that it is safe to visit the group's English and Tibetan sites.
He said he believes the same group of attackers has repeatedly infected the site with malicious software that automatically drops viruses on computers running Microsoft Corp's Windows and Apple Inc's Mac operating systems.
They infect machines by exploiting security bugs in Oracle Corp's Java software, he said. An Oracle spokeswoman had no immediate comment.
That gives them "back doors" into those computers. "This is the initial foothold. From there they can download arbitrary files and execute them on the system," Baumgartner said.
Will Gragido, a researcher with the RSA security division of EMC Corp who is an expert on water holing, said the attack on the Tibetan site had the look of a type of campaign known as an "advanced persistent threat," or APT.
In some cases APTs are launched through tainted emails. In others this is done through "water holes," which are named after specific locations that lions stake out to attack their prey, rather than traveling the wild to hunt them out.
"The CTA is a site most people are not going to traverse," Gragido said. "They are less likely to see my grandmother traversing that site than they are somebody with a vested interest in seeing what's going on in Tibet."
In March of last year, the cybersecurity firm AlienVault Labs reported that it identified cyber attacks on Tibetan organizations including CTA and the International Campaign for Tibet.
AlienVault said those attacks were engineered by a Chinese APT group also responsible for the "Nitro" attacks on dozens of companies identified by Symantec Corp in 2011.
The report of the cyber attack is the latest to involve human rights groups in greater China.
Human rights groups and other NGOs focused on China were hit by denial of service attacks that disrupted their websites and several said their emails were infiltrated during a spate of cyber attacks attributed to China in 2010 and 2011.