Online attacks aimed at Vietnamese activists, says Google

Google says it’s detected cyberattacks targeting opponents of a Chinese-backed bauxite mining project in Vietnam.

The malware targeted users around the world who were downloading a Vietnamese keyboard driver known as VPSKeys – popular with Vietnamese Windows users as it’s needed to insert accents at the appropriate locations when using Windows. 

Once infected, machines join a botnet with command and control systems located around the globe that are accessed predominantly from IP addresses inside Vietnam.

“These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent,” said Neel Mehta of Google’s security team.

“Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.”

The botnet was uncovered by McAfee while investigating Operation Aurora.

“We believe the attackers first compromised, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse.  The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead,” says McAfee CTO George Kurtz.

“The rogue keyboard driver, dubbed W32/VulcanBot by McAfee, connected the infected machines to a network of compromised computers. During our investigation into the botnet we found about a dozen command and control systems for the network of hijacked PCs.”

Kurtz suggests the attackers may be linked to the Vietnamese government. The bauxite mining project, run in conjunction with a state-run Chinese company, has attracted heavy local criticism over fears about environmental risks and an influx of Chinese labour.