Advanced Persistent Threat Campaign Targeting Journalists

and Human Rights Workers in Tibet, Hong Kong and Taiwan

BURLINGTON, Mass., April 18, 2016 – Arbor Networks Inc., the security division of NETSCOUT (NASDAQ: NTCT), today released a new Threat Intelligence Report from Arbor’s Security Engineering & Response Team (ASERT) that reveals recent ongoing Advanced Persistent Threat (APT) activity likely associated with long-running threat campaigns against members of the Tibetan community, along with journalists and human rights workers in Hong Kong and Taiwan.

A tool to exploit the victims, dubbed the Four Element Sword Builder, is being used to weaponize Microsoft Office documents for use in these campaigns.  A sample of twelve different targeted exploitation incidents (taken from a larger set of activity) is described in the threat brief along with newly discovered connections to previously documented threat campaigns.

This recent activity uncovered by ASERT matches pre-existing targeting patterns towards the “Five Poisons” – organizations and individuals associated with perceived threats to Chinese government rule: Uyghurs, Tibetans, Falun Gong, members of the democracy movement and advocates for an independent Taiwan. This targeting scheme, along with various malware artifacts and associated metadata, suggest that the threat actors herein have a Chinese nexus.

Arbor’s goal is to provide insight that enables customers, network operators, Computer Emergency Response Teams (CERTs), forensic and policy analysts, law enforcement and the broader public to understand not only the larger context surrounding dangerous targeted exploitation campaigns, but to also enable efficient incident response and mitigations designed to keep threat actors at bay. In addition, this report can serve to further educate strategic decision makers who are dealing with global threats.

For access to the full ASERT Threat Intelligence Report, please visit the ASERT blog.

For a report on Indicators of Compromise (IOC) available in a CSV format, please visit here.

Additional Resources

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada, focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security. The organization has also published content related to the threat activity described herein. Interested parties may find its material here.

About Arbor Networks

Arbor Networks, the security division of NETSCOUT, helps secure the world’s largest enterprise and service provider networks from DDoS attacks and advanced threats. Arbor is the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. Arbor Networks Spectrum™ advanced threat solution delivers complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of attack campaigns, malware and malicious insiders. Arbor strives to be a “force multiplier,” making network and security teams the experts. Our goal is to provide a richer picture into networks and more security context so customers can solve problems faster and reduce the risks to their business.

To learn more about Arbor products and services, please visit our website at or follow on Twitter @ArborNetworks. Arbor’s research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.

Kevin Whalen
Arbor Networks
  • Security