Exposing the Internet’s shadowy assailants
by Danny O’Brien
For the past decade, those who used the Internet to report the news might have assumed that the technological edge was in their favor. But online journalists now face more than just the standard risks to those working in dangerous conditions. They find themselves victims of new attacks unique to the new medium. From online surveillance of writers through customized malicious software to “just in time” censorship that can wipe controversial news sites off the Internet at the most inconvenient moment, the online tools to attack the press are getting smarter and spreading further.
ATTACKS ON
THE PRESS: 2010
• Main Index
Worldwide
• International
Institutions Fail to
Defend Press Freedom
• Exposing the Internet’s
Shadowy Assailants
Africa
• Across Continent,
Governments Criminalize
Investigative Reporting
Americas
• In Latin America, a Return
of Censorship
Asia
• Partisan Journalism and
the Cycle of Repression
Europe and
Central Asia
• On the Runet, Old-School
Repression Meets New
Middle East
and North Africa
• Suppression Under the
Cover of National Security
In March, Andrew Jacobs, a correspondent working for The New York Times in Beijing, peered for the first time into the obscure corners of his Yahoo e-mail account settings. Under the “mail forwarding” tab was an e-mail address he had never seen before. That other e-mail address had been receiving copies of all of his incoming e-mails for months. His account had been hacked.
Jacobs’ experience as a journalist in China is not unusual. Over the past two years, other members of the Foreign Correspondents’ Club of China (FCCC) have been the victims of a series of targeted computer hacks. In 2009, carefully crafted e-mails from an elaborately constructed false identity–“Pam Bourdon,” economics editor of the Straits Times–were sent to their local news assistants via unpublicized e-mail addresses. If the assistants opened an attached document, they were shown exactly what one might expect from the e-mail’s cover explanation–a detailed list of dates that “Bourdon” would be available during a Beijing visit. Simultaneously, a hidden program capable of taking over and spying on the recipient’s computer would launch. Control of the assistant’s computer–and that of anyone who opened the forwarded document–would pass to remote servers controlled by unknown parties.
In early 2010, Jacobs and FCCC members suffered another series of hacking attacks on their Yahoo Web-based e-mail accounts. After revealing these attacks in April, the FCCC found its own website brought down in a distributed denial-of-service (DDOS) assault, a form of censorship by information overload in which hundreds of thousands of computers are coordinated to send or demand data from a single website, causing its connection to the Internet to choke or its server to crash. The attacking computers are part of a “botnet,” ordinary home computers that have been taken over using malware just like the one installed by the Pam Bourdon e-mail, and remotely controlled en masse from afar.
When CPJ exchanged e-mails with Jacobs later in the year, he seemed philosophical about the degree of surveillance in which he and his Beijing colleagues worked. “Yes, I feel vulnerable,” he wrote, “but I’ve always assumed my e-mail was being read and that my phones are tapped. … It’s most unfortunate and creepy, but to be honest you just get used to it and communicate accordingly.”
Surveillance and online censorship interfere with the work of international journalists, but they are direct threats to the lives and liberty of local reporters worldwide. Illegal online surveillance has led to the incarceration of dozens of local journalists, most notably the Chinese editor Shi Tao, whose Yahoo e-mail activity was used as evidence in 2005 to sentence him to 10 years’ imprisonment on antistate charges. Roughly half the people on CPJ’s 2010 census of imprisoned journalists conducted their work online, either as independent writers or as editors of Internet news sites.
The Chinese government has traditionally monitored foreign journalists very closely, from their electronic activity to their phone calls and movements. The state employs the world’s most sophisticated technology to watch and suppress its citizens. But governments with lesser reputations for understanding technology are now using increasingly sophisticated tools. During the 2009 election protests in Iran, Western commentators emphasized how Internet-savvy the protesters were, drawing an implicit contrast to the regime. But when Newsweek reporter Maziar Bahari was arrested and tortured in Evin Prison, his interrogator was quick to demand his Facebook and e-mail passwords to comb through for contacts. In December of that year, The Wall Street Journal reported that Iran had created a 12-member military unit to track people “spreading lies and insults” about the regime online.
Iranian journalists working in Europe have reported hacking attacks similar to those detailed by Jacobs and the FCCC. One exiled journalist described receiving threats containing details that could only have been collected from authorities intercepting instant-message conversations. Another, Manuchehr Honarmand, exiled editor of the website Khandaniha, told the National Journal that his website had been disabled three times by hackers. Omid Habibinia, who worked for the BBC Persian service and state-run Islamic Republic of Iran Broadcasting, had fake Facebook accounts created in his name, in order, he believed, to deceive his sources into communicating with their opponents.
The breadth and variety of online attacks on reporters in 2010 demonstrates that they were not the exclusive domain of governments willing or able to spend millions on military cyber-commands. Even the poorest of authoritarian states were able to marshal, or at least benefit from, sophisticated, high-tech attacks against independent media.
The most straightforward of cyber-attacks is government-mandated online censorship: the nationwide blocking of media websites. This practice, long established in countries such as Iran and China, has now spread to countries with some of the smallest Internet usage rates in the world. In May, Rwanda’s two primary Internet service providers blocked the online version of the tabloid Umuvugizi, the first time the country had blocked any website, according to the Rwandan news agency RNA. The country’s Media High Council–which had banned the print edition of the paper, known for its critical coverage of the government–also ruled that publishing Umuvugizi online was unlawful. Afghanistan joined the league of countries censoring their citizens’ Internet connections with a law passed in June; it quickly began blocking not just the “immoral” sites that the law had singled out, but independent news outlets such as Benawa. A Pashto-language site, Benawa was blocked after it incorrectly reported that the first vice president, Mohammed Qasim Fahim, had died. (The site corrected the error within a half-hour.) According to the International Telecommunication Union, or ITU, only 4.1 percent of Rwanda’s inhabitants use the Internet; in Afghanistan, the figure is less than 3.5 percent.
Individual Internet access is almost nonexistent in Burma, one of the world’s most censored countries, but Internet cafés are very popular. A 2008 CPJ report found that Internet café users were routinely circumventing government blocks to visit banned news sites run by exiled journalists. Now, the government appears to be stepping up high-tech attacks on these exile-run news sites. Three exile outlets–Irrawaddy, the Mizzima news agency, and the Democratic Voice of Burma–came under DDOS attacks in September, coinciding with the anniversary of the 2007 Saffron Revolution, a series of anti-government protests led by Buddhist monks that was eventually quashed by military force. The attacks recalled earlier efforts but far exceeded them in force, Irrawaddy editors told CPJ. The exact origin of the DDOS attacks was unclear, but the effects were not. The exile-run sites, which traditionally provide some of the best firsthand information from the severely restricted nation, were being blocked not just from Burmese audiences but from international viewership as well.
In Vietnam, more than a quarter of the relatively youthful population was online in 2010, according to ITU data. The country’s communist government has made Internet control one of its priorities, and the sophistication of surveillance and attacks on Vietnamese online media now rivals that of any nation in the world, including China. Websites covering news of the Vietnamese government’s bauxite mining policies–a controversial issue because of potential ecological damage and the involvement of Chinese companies–were taken offline in early 2010 by DDOS attacks. The thousands of computers used in this attack were controlled by a large domestic botnet of computers infected by a specific kind of malware. Researchers at Google and McAfee, a computer security company, uncovered the source of this infection. A blog post by McAfee’s CTO, George Kurtz, described a Trojan concealed in the software downloaded by many Vietnamese residents to allow them to enter native text accents when using Windows computers.
In February, CPJ reported on a direct hacking attack that took down the Vietnamese news site Blogosin. The site’s editor, Truong Huy San, who also used the name Huy Duc, soon posted a message on a newly created home page to say that he would stop blogging to focus on personal matters. The attack occurred on the same day as the trial and conviction of Tran Khai Thanh Thuy, a writer and editorial board member of the online magazine To Quoc. (Thuy was sentenced to three and a half years.) The e-mail accounts of two other bloggers, Pham Thi Hoar and Huy Duc, were hacked at the same time, Human Rights Watch reported.
Can governments like Burma and Vietnam really commandeer and coordinate such elaborate methods of silencing online voices? It is difficult, if not impossible, to trace the true origins of DDOS attacks, the targeted hacking of websites, and even the final destination of secretly forwarded e-mails. Just as the Internet’s decentralized and interconnected systems allow journalists the ability to speak anonymously and preserve the anonymity of sources, they can also misdirect and shroud the location of malicious actors. The best that advocates can do to trace these attacks is deduce their originators from the nature of the target.
When Google revealed in January 2010 that it had experienced a serious security breach–and simultaneously announced that it was ceasing to censor search results on its Chinese search engine–the company implied that Chinese authorities were behind the events. The clue to that connection was in the nature of the targets. Google said that it had “evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” That pointed to Chinese state involvement, even though some of the “command-and-control” computers involved in directing the attacks turned out to be based in Taiwan.
Did the Chinese military or intelligence services target Google, one of the largest technology companies, and then cheekily use stolen computer access on Taiwanese turf for the task? Do the Burmese authorities plan an annual attack on exile media, and then illegally invade computers in India to do the deed, as the logs recorded by Mizzima indicated?
Ronald Deibert and Nart Villeneuve of the University of Toronto’s Citizen Lab, in partnership with computer security consultants at the SecDev Group, have conducted some of the most detailed postmortems of online attacks on the press, including the malware sent to Chinese foreign correspondents, and a forthcoming examination of Burma’s DDOS incidents. Their academic work firmly states that they cannot connect such events directly to the Chinese or Burmese states. Deibert says the evidence they have collected does show, however, that both attacks utilized techniques and strategies common to petty cyber-criminals, including individual “hackers” who work simply for the thrill of bringing down a highly visible, but vulnerable target.
Villeneuve believes that the connection between the operators of these attacks and the regimes that benefit from silencing or intimidating the press doesn’t need to be explicit to be useful to both parties. “My sense is that these criminal operations don’t always have an interest in repressing free speech,” he told CPJ, “but they could see it as advantageous to be on good terms with the state. It’s quid pro quo: You attack Tibetan news sites for a while, and perhaps law enforcement will turn a blind eye to you stealing credit cards.”
The world Villeneuve describes is all too familiar to any journalist, online or off, whose beat encompasses an authoritarian state. Governments do not always have to directly silence the media; they can turn a blind eye as criminal organizations or “patriotic” supporters of the regime do their dirty work for them. Both benefit from suppressing a free press; without independent journalists, corruption and complicity between official powers and shadier forces is unchecked.
The Internet is an incredibly powerful tool for journalists working in repressive regimes, but it alone cannot save the press from censorship, surveillance, and abuse. Those who want to shutter the free press are rapidly gaining the resources and the allies they need to take their battle to the online world. Without the counterbalance of technical and logistical support to independent journalists, the Internet may even disproportionately help their opponents.
But advocates can work to mitigate the risk and stop third parties from being enlisted in the abuse.
Ethiopia has a tiny Internet audience, but its government has one of the world’s most oppressive press records. Its security apparatus forced the journalists of the independent newspaper Addis Neger to flee the country before the May 2010 national elections. As it does for hundreds of other exiled journalists, the Internet gave Addis Neger journalists the opportunity to keep publishing and stay in touch with their homeland. But before Addis Neger‘s editor, Mesfin Negash, had the chance to create an independent website, he had an incomprehensible setback. His Facebook page, containing all of the online contacts that Addis Neger had accumulated, had been deleted by Facebook’s own support staff. For reasons that were never made clear, but could well have involved a coordinated set of complaints by opponents of Addis Neger‘s critical government coverage, Facebook had deleted Negash’s account and removed his link to an audience of 3,000 fans in Ethiopia and its diaspora.
After CPJ contacted Facebook to emphasize the importance and legitimacy of Addis Neger‘s work, the company restored contact between Negash and his online supporters. Facebook would not explain the deletion except to say it was “a mistake.” Within days, Negash was able to send his readers word of his new online newspaper-in-exile at addisnegeronline.com. It came just in time to report on the May elections.
The battle for a free press online is frequently invisible, even for those involved in the conflict. Andrew Jacobs had no idea his e-mail was being monitored until the day he explored his computer settings. Facebook had no knowledge of the vital role its infrastructure was playing in the battle for a free press in Ethiopia. Similarly, many journalists and bloggers making an unsupported foray onto the Internet may have no idea of the threats facing them. CPJ and other advocates have to ensure that journalists are aware of this new generation of attacks–and that everyone knows what they can do to help.
Danny O’Brien is CPJ’s San Francisco-based Internet advocacy coordinator. He blogs at cpj.org/internet.