Tetris – a State-Sponsored JavaScript Surveillance Kit

Malicious JavaScript frameworks that collect sensitive data are not confined to web skimming. What was once used by individual threat actors to steal credit card information is now a fully developed state-sponsored monitoring kit. Recent reports of a Chinese JavaScript-based surveillance tool raise alarms regarding its efficiency in extracting sensitive data while evading detection by most traditional security tools. 

How to utilize JavaScript framework to track and monitor opposition supporters

Let’s say that a particular authoritarian state, which is notorious for tracking its citizens, has found a way to utilize major mainstream websites as a surveillance tool. As the site owner, would you like to be part of this network?

Well, you are. Whenever a victim enters a specific watering hole website (e.g., opposition-supporting media outlets), they trigger a JavaScript framework planted there to extract sensitive data. It includes names, addresses, phone numbers, hardware IDs, and even geolocation or a picture of the victim. 

Meet ‘Tetris’ – A modular, customized JavaScript-based framework used as a surveillance kit that targets Chinese-speaking opposition via infected websites. Tetris exploits vulnerabilities in digital web applications found in 58 widely used websites, including Aliexpress, Baidu, QQ, and Tmall.

Tetris proves the potentially unlimited power of JavaScript frameworks to steal personal information. The method’s efficiency lies in its ability to evade traditional security measurements combined with the scope of data it collects. Rather than targeting specific victims at a time, it enables threat actors to collect exponential amounts of confidential data over a continuous period. 

Now that we can comprehend this method’s scope of potential, let’s deconstruct the technical terms and simplify the story:

How the Tetris JavaScript works

The first step of the Tetris attack is compromising a Watering Hole website. Watering Hole is a technique used by a threat actor to target a particular group (company, industry, ethnic, etc.). They specifically compromise websites operated by the specified group and inject malicious code as the users access the affected websites.

The threat actors gain access to a victim’s system by injecting a JavaScript file inside the compromised website’s digital applications. The JS file is a third-party script that runs on the client-side and establishes a connection between the end-user and the third-party vendor itself. This is the attacker’s favorable blind spot because the communications between the end-user and any third party aren’t monitored by the existing security solutions such as WAF.

The malicious JavaScript makes a JSONP request to dozens of major Chinese websites using the script tag. Using JSONP requests, the attackers bypass cross-domain policies and collect a user’s private information as long as the victim is logged in to one of the dozens of affected services. When the browser receives the data, it sends the personal data (including sex, birthday, real name, and user ID) to an attacker-controlled server.

AT&T Cybersecurity researcher Jaime Blasco first identified this method on June 11th, 2015. Blasco identified watering hole attacks that shared similar MO and platform as the latest Chinese state-sponsored Tetris attack revealed by imp0rtp3 on August 12th, 2021. The attackers used the victim’s interactions with more than 50 major websites (including the top 5 portals in China) to exfiltrate sensitive data off of their browsers.

The bottom line is that websites’ dependency on JavaScript frameworks makes them an attractive security vulnerability for threat actors to exploit. It enables the threat actors to bypass traditional cybersecurity tools and steal sensitive data for months undetected. It is that effective.

What does the Chinese government gain from it?

All of the Watering Holes observed are targeting Chinese users visiting Chinese opposition-supporting websites. It seems that these campaigns have been targeting a particular group of people. Since there was no financial gain on collecting most of the leaked personal data, it’s safe to assume that whoever’s behind these attacks is looking to reveal the users’ personal information. It is also worth mentioning that the Chinese Great Firewall likely blocks some of the sites that the victim tries to reach.

The Great Firewall (GFW)  analyzes and blocks traffic leaving China; however, Chinese users can bypass the GFW by running VPNs (Virtual Private Networks) or TOR. In these cases, the GFW doesn’t have complete visibility into the traffic. When plaintext traffic comes out of VPNs or TOR endpoints, the GFW doesn’t know the actual IP address of the user that is visiting a specific website.

So imagine that the Chinese government wants to reveal individuals who visit certain websites sympathetic to particular causes even when they use TOR or VPNs to hide their tracks. In the scenario we have described, this is a reality and has been happening since at least 2013. Even if the only data the attackers can obtain is a user ID for a specific website, the threat actors can use it to pinpoint targets for espionage within the GFW.

If there’s one thing to learn out of ‘Tetris’ surveillance kit is that it’s impossible to achieve complete confidentiality. When threat actors realized the potential of third-party code intrusions, it quickly became a popular technique for cyber breaching and sensitive data leakage. There’s a vast difference between individual hackers using this method for web skimming credit card information to state-sponsored threat actors using it to spy on their citizens.

What can you do about it?

I won’t lie: If the Chinese government wants to gain access to your data, they probably will find a way. It’s no surprise that even their method of choice is to exploit external digital apps and frameworks. You can’t run a website without using 3rd, and 4th party scripts; the dependency that websites build on these digital applications tremendously increases their attack surface. It’s what makes it the perfect vulnerability to exploit. That is why you can’t ever ensure total prevention of this sort of cyber-attacks. 

The average security department spends millions of dollars creating a solid perimeter defense for its website. Still, it all misses a big chunk of code: dozens of third-parties code, each can bypass the process and get access to the most sensitive data. Traditional security solutions like WAF or security headers like CSP can’t detect this data leaking method. These systems don’t notice the communication between the end-user and the external digital vendor. This leaves website owners and end-users unaware of what these third-party scripts do: where they run and how they communicate with other components or remote domains. That is why the best way to address it is by making informed decisions that rely on real-time data. 

You can immensely reduce the scope of damage that these threats impose on your enterprise by:

1. Discovering your digital ecosystem by mapping your assets to ensure none is maliciously acting for someone else.
2. Routinely scan your websites for any irregularities and changes made by third-party scripts.
3. Configuring notifications for any suspicious behaviors to address security breaches in real-time.