Let’s say that a particular authoritarian state, which is notorious for tracking its citizens, has found a way to utilize major mainstream websites as a surveillance tool. As the site owner, would you like to be part of this network?
Now that we can comprehend this method’s scope of potential, let’s deconstruct the technical terms and simplify the story:
The first step of the Tetris attack is compromising a Watering Hole website. Watering Hole is a technique used by a threat actor to target a particular group (company, industry, ethnic, etc.). They specifically compromise websites operated by the specified group and inject malicious code as the users access the affected websites.
AT&T Cybersecurity researcher Jaime Blasco first identified this method on June 11th, 2015. Blasco identified watering hole attacks that shared similar MO and platform as the latest Chinese state-sponsored Tetris attack revealed by imp0rtp3 on August 12th, 2021. The attackers used the victim’s interactions with more than 50 major websites (including the top 5 portals in China) to exfiltrate sensitive data off of their browsers.
What does the Chinese government gain from it?
All of the Watering Holes observed are targeting Chinese users visiting Chinese opposition-supporting websites. It seems that these campaigns have been targeting a particular group of people. Since there was no financial gain on collecting most of the leaked personal data, it’s safe to assume that whoever’s behind these attacks is looking to reveal the users’ personal information. It is also worth mentioning that the Chinese Great Firewall likely blocks some of the sites that the victim tries to reach.
The Great Firewall (GFW) analyzes and blocks traffic leaving China; however, Chinese users can bypass the GFW by running VPNs (Virtual Private Networks) or TOR. In these cases, the GFW doesn’t have complete visibility into the traffic. When plaintext traffic comes out of VPNs or TOR endpoints, the GFW doesn’t know the actual IP address of the user that is visiting a specific website.
So imagine that the Chinese government wants to reveal individuals who visit certain websites sympathetic to particular causes even when they use TOR or VPNs to hide their tracks. In the scenario we have described, this is a reality and has been happening since at least 2013. Even if the only data the attackers can obtain is a user ID for a specific website, the threat actors can use it to pinpoint targets for espionage within the GFW.
If there’s one thing to learn out of ‘Tetris’ surveillance kit is that it’s impossible to achieve complete confidentiality. When threat actors realized the potential of third-party code intrusions, it quickly became a popular technique for cyber breaching and sensitive data leakage. There’s a vast difference between individual hackers using this method for web skimming credit card information to state-sponsored threat actors using it to spy on their citizens.
What can you do about it?
I won’t lie: If the Chinese government wants to gain access to your data, they probably will find a way. It’s no surprise that even their method of choice is to exploit external digital apps and frameworks. You can’t run a website without using 3rd, and 4th party scripts; the dependency that websites build on these digital applications tremendously increases their attack surface. It’s what makes it the perfect vulnerability to exploit. That is why you can’t ever ensure total prevention of this sort of cyber-attacks.
The average security department spends millions of dollars creating a solid perimeter defense for its website. Still, it all misses a big chunk of code: dozens of third-parties code, each can bypass the process and get access to the most sensitive data. Traditional security solutions like WAF or security headers like CSP can’t detect this data leaking method. These systems don’t notice the communication between the end-user and the external digital vendor. This leaves website owners and end-users unaware of what these third-party scripts do: where they run and how they communicate with other components or remote domains. That is why the best way to address it is by making informed decisions that rely on real-time data.
You can immensely reduce the scope of damage that these threats impose on your enterprise by:
- Discovering your digital ecosystem by mapping your assets to ensure none is maliciously acting for someone else.
- Routinely scan your websites for any irregularities and changes made by third-party scripts.
- Configuring notifications for any suspicious behaviors to address security breaches in real-time.