Written by Chris Bing

Putting together a thorough cyber-espionage campaign in order to spy on hundreds of people can be surprisingly inexpensive, new research by Citizen Lab explains and private sector cybersecurity experts agree.

Over the course of nearly two years, Citizen Lab estimated that a hacking group possibly linked to the Chinese government had spent $1,068 in order to stand up computer systems that were used to target people primarily linked to Tibet; an autonomous territory bordering Nepal and Bhutan that is loosely controlled by the Chinese government.

This activity illustrates to some degree how in certain environments, largely because of poor digital security practices, an attacker can run an effective yet rudimentary scheme to collect intelligence from multiple organizations all at once.

Experts say that while Citizen Lab’s findings are not unique, it paints a picture of how cheap and scalable hacking techniques — including email phishing and web exploit kits — are part and parcel with cyber-espionage programs run by various government agencies and criminal groups across the developing world.

“FireEye has seen the techniques described in the CitizenLab report proliferate worldwide,” the company said in a statement sent to CyberScoop. “Low cost techniques reduce the barrier for entry to cyber-espionage, opening it to a wide range of actors, but still do require some skill to implement successfully. These techniques are more likely to be detected by large corporations and governments; however, NGOs and activists often lack sophisticated defenses necessary to counter this capability.”

Between March 2016 and February 2017, the hackers responsible for the Tibetan espionage effort used more than 172 malicious domains, three servers, 58 decoy documents and 43 custom HTTPS protocol certificates in their operation, which helped attackers penetrate at least two different email accounts. Some phishing emails appeared to be themed for specific targets, including people familiar with the Central Tibetan Administration, Pakistan Army, Sri Lankan Ministry of Defense or Thailand Ministry of Justice, among others.

The attacker’s digital infrastructure was also tied to various other hacking attempts on opposition groups of the leading Communist Party of China, as well as foreign government agencies based in Southeast Asia. Citizen Lab had first become aware of this activity after receiving phishing email samples sent to a local human rights group.

“This case shows that it doesn’t take deep pockets or sophisticated technical skills to mount an effective digital spying operation,” said Masashi Nishihata, a research manager with Citizen Lab. “We need to raise the low bar and make digital spying more expensive for adversaries.

Another factor, according to Nishihata, is popular email platforms do not employ two-factor authentication by default. Additionally, most users refrain from using the service even if an email provider allows them to do so.

“As long as two factor adoption rates remain low, the entry cost for doing credential theft will be low as well,” Nishihata said. “Platforms can play a big role in shifting the balance by encouraging widespread use of two factor authentication.”

The highest costs associated with running an espionage program — like the one captured by Citizen Lab — comes from hiring and employing people to manage and control the infrastructure, Citizen Lab described in its report. However, estimating the price of this labor remains difficult. In addition, it’s not clear how many people would have been involved in the Tibet-focused operation, but computer coding errors and sloppy tradecraft evident in some related phishing emails suggests that the team may have been amateurs.