Journalists based in China have been targeted by a recent wave of malware attacks. The attacks are focused on employees of media organizations, including Reuters, Dow Jones, and Agence France Presse. The attacks involved emails with infected attachments, both carefully constructed to trick even spam-wary journalists into activating the virus.

According to a report by Information Warfare Monitor,  a research organization started by the University of Toronto’s Citizen Lab and Ottawa-based think tank The SecDev Group, the attacks coincide with reports of heightened security measures tied to the 60th anniversary of the People’s Republic of China’s founding.

The report, published this morning, collects the information researchers assembled while pouring over the infected email and its attached PDF file - a format commonly used to email documents.

The people targeted by the email were local Chinese employees of foreign correspondents. These employees received an email from apparently from an editor at the Straits Times Pam Bourdon that included a PDF attachment. When opened, the PDF would activate malicious code that drops malware on the targeted computer. Terrible English with a near absence of grammar used to be easy giveaways for spam. But these emails were written with a much higher level of English - it wasn't flawless, but certainly good enough to get past someone who spoke English as a second language, and even some for whom it is their first. The report also says both the recipient list and the content of the PDF -- a group of people the purported journalist wanted to arrange interviews with -- helped to make the email appear legitimate.

The Information Warfare Monitor says:

The email sent to the foreign correspondents from "Pam " appears to be customized and targeted. The context of the letter and the attached PDF, “Interview list.pdf” is specific to journalists. The email itself is focused on setting up meetings for journalists in China, and the attached PDF contains a list of genuine contacts in China that relate to the context of the email. The name of the hotel and its address are accurate. Moreover, the purpose for the trip to China, to research the “annual economic survey,” correlates with the World Economic Forum's release of its “Global Competitiveness Report” on September 8, 2009 and the conference that followed in Dalian, China on September 10-12, 2009.

Once malware infects a computer, outside users can access information on that computer. In one particular case, malware implanted on computers in the office of the Dalai Lama was able to copy and send documents, as well as turn on web cams and broadcast video and audio from the offices.

At this point, researchers have not been able to decipher the communications being passed between the infected computers and the servers the malware is communicating with.

The report states:

The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students, employees, and faculty at the National Central University.

The report states that there is no evidence the Chinese government was behind the tax, though the targeted employees are hired through an agency that reports to the Chinese Foreign Ministry.

"Whether the government is behind it, closes its eyes to it, supports it or has nothing to with it is unclear," said Nicholas Bequelin of Human Rights Watch in Hong Kong, commenting on the attacks to Reuters. "There are also patriotic hackers, so there is no way to know for sure who is behind it."

The report goes on:

 

Considering that the contact information of these assistants was not publicly known, but was known to China's Foreign Ministry, an element of suspicion is raised concerning the involvement of the latter. However, there are alternative explanations for how the attackers were able to assemble the list of contacts. These attackers have been actively compromising targets since at least 2007, and likely compile lists of new targets from information acquired through previous exploits. In fact, the accuracy of the email used in this case, and the malicious attachment, suggest that the attackers leveraged information stolen from previously compromised computers.