On Sunday, the Electronic Frontier Foundation (EFF) published a report on a recent Phishing campaign that's targeting its staffers. According to the foundation, analysis of the malware and origins of the messages tie them to "what appear to be state-aligned actors."
The campaign started on December 20. Two EFF staffers were sent emails from someone inviting them to a conference in Asia, and encouraging them to click links for additional information.
The emails were posted by "Andrew Oxfam" – yet the links within the messages pointed to pages hosted on Google Drive, raising red flags among an organization that tracks targeted attacks against journalists and activists. In addition, the emails also contained attachments, which were treated as suspect given the questionable links.
The targeting method, the EFF notes, is interesting because it "demonstrates some understanding of what motivates activists."
"Just as journalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open documents pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences. For greater verisimilitude, the attacker should have included an offer to pay for flights and hotels."
However, in addition to the EFF, the email was also sent to an Associated Press reporter and Vietnamese blogger. The choice of recipients, in addition to the Vietnamese indicators in the message and malware, is where the EFF is making the link to "state-aligned actors."
The malware in the messages had a low detection rate on VirusTotal, with only one out of forty-nine AV engines detecting it as malicious.
According to the blog post, Vietnam’s spying campaign can be traced as far back as 2010. It was then, that engineers at Google issued a report about malware targeting Vietnamese computer users. Reports from the time noted that the infected systems were used to spy on the owner, as well as launch DDoS attacks against known dissident websites. Since then, the Vietnamese government has gone after anti-government bloggers (the nation's only independent media representatives), placing several of them in jail for their work. However, the group behind this most recent attack seems to have been operating since 2009, mostly targeting Vietnamese dissidents.
"EFF is greatly disturbed to see targeted malware campaigns hitting so close to home. While it is clear that this group has been targeted members of the Vietnamese diaspora for some time, these campaigns indicate that journalists and US activists are also under attack. And while longtime activists and journalists might expect to be targeted by a state they regularly criticize, it appears that a single blog post is enough to make you a target for Vietnamese spying."