Computer breaches at the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary have been traced to Chinese hackers.
According to FireEye's researcher Nart Villeneuve, hackers infiltrated the computer networks of five European foreign ministries by sending emails containing malware files to staff and gained access to their systems to steal credentials and high-value information.
The New York Times identified the foreign ministries through email addresses listed on the attackers’ web page. A person with knowledge of the investigation, who was not authorized to speak publicly, confirmed that the foreign ministries of the five countries had been breached.
Edward J. Snowden surveillance conducted by the National Security Agency and its intelligence partners dominate attention, the FireEye report is a reminder that Chinese hackers continue to break into the computer systems of governments and firms using simple, email-based attacks.
The cyber espionage campaign named as “Operation Ke3chang” and if the victim will download & open the malware file which disguised itself as files detailing a possible intervention in Syria (US_military_options_in_Syria.pdf.zip), it gets installed on the victim's computer with a backdoor.
"They have also leveraged a Java zero-day vulnerability (CVE-2012-4681), as well as older, reliable exploits for Microsoft Word (CVE-2010-3333) and Adobe PDF Reader (CVE-2010-2883)." report said.
Once a compromised system connects to the CnC server, the Ke3chang attackers follow a predetermined script to gather information about the local computer and the network to which it is connected.
The FireEye report does not link the attacks to a specific group in China, but security experts say the list of victims points to a state-affiliated campaign.
“Unlike other groups, which tend to attack commercial targets, this campaign specifically targeted ministries of foreign affairs,” said Nart Villeneuve, the researcher who helped lead FireEye’s efforts.
Last year, Mr. Villeneuve, then a researcher at Trend Micro, a security company in Tokyo, traced a series of attacks on firms in Japan and India, as well as Tibetan activists, to a former graduate student at Sichuan University who had joined Tencent, China’s leading Internet company.
China’s Foreign Ministry officials have said China does not sanction hacking, and is itself a victim of hacking attacks. A spokesman for the Chinese Foreign Ministry did not return a request for comment on Monday.
Security experts say foreign ministries have long been a target for Chinese hackers. James A. Lewis, a former State Department official and senior fellow and director at the Center for Strategic and International Studies in Washington, said past hacking attacks on the foreign ministries of Australia, Britain, Germany, France, India and Canada had all been traced to the Chinese government.
Using current events to bait targets is nothing new. In March 2012, researchers say the same group used an email about the London Olympics. Three months later, the same group repurposed a security report from McAfee, the antivirus software pioneer, and loaded it with malicious code so that as soon as a target clicked on the attachment, attackers gained a foothold into their machines.
FireEye said the Ke3Chang attackers have taken great pains to mask their activities by frequently switching out their hacking tools. And though researchers have only identified 23 of the attackers’ command-and-control servers, they mapped Web addresses back to a total of 99 servers — all of them based in China, Hong Kong and the United States — and believe the number of compromised computers is much larger than what they can see.
According to FireEye's researcher Nart Villeneuve, hackers infiltrated the computer networks of five European foreign ministries by sending emails containing malware files to staff and gained access to their systems to steal credentials and high-value information.
The New York Times identified the foreign ministries through email addresses listed on the attackers’ web page. A person with knowledge of the investigation, who was not authorized to speak publicly, confirmed that the foreign ministries of the five countries had been breached.
Edward J. Snowden surveillance conducted by the National Security Agency and its intelligence partners dominate attention, the FireEye report is a reminder that Chinese hackers continue to break into the computer systems of governments and firms using simple, email-based attacks.
The cyber espionage campaign named as “Operation Ke3chang” and if the victim will download & open the malware file which disguised itself as files detailing a possible intervention in Syria (US_military_options_in_Syria.pdf.zip), it gets installed on the victim's computer with a backdoor.
"They have also leveraged a Java zero-day vulnerability (CVE-2012-4681), as well as older, reliable exploits for Microsoft Word (CVE-2010-3333) and Adobe PDF Reader (CVE-2010-2883)." report said.
Once a compromised system connects to the CnC server, the Ke3chang attackers follow a predetermined script to gather information about the local computer and the network to which it is connected.
The FireEye report does not link the attacks to a specific group in China, but security experts say the list of victims points to a state-affiliated campaign.
“Unlike other groups, which tend to attack commercial targets, this campaign specifically targeted ministries of foreign affairs,” said Nart Villeneuve, the researcher who helped lead FireEye’s efforts.
Last year, Mr. Villeneuve, then a researcher at Trend Micro, a security company in Tokyo, traced a series of attacks on firms in Japan and India, as well as Tibetan activists, to a former graduate student at Sichuan University who had joined Tencent, China’s leading Internet company.
China’s Foreign Ministry officials have said China does not sanction hacking, and is itself a victim of hacking attacks. A spokesman for the Chinese Foreign Ministry did not return a request for comment on Monday.
Security experts say foreign ministries have long been a target for Chinese hackers. James A. Lewis, a former State Department official and senior fellow and director at the Center for Strategic and International Studies in Washington, said past hacking attacks on the foreign ministries of Australia, Britain, Germany, France, India and Canada had all been traced to the Chinese government.
Using current events to bait targets is nothing new. In March 2012, researchers say the same group used an email about the London Olympics. Three months later, the same group repurposed a security report from McAfee, the antivirus software pioneer, and loaded it with malicious code so that as soon as a target clicked on the attachment, attackers gained a foothold into their machines.
FireEye said the Ke3Chang attackers have taken great pains to mask their activities by frequently switching out their hacking tools. And though researchers have only identified 23 of the attackers’ command-and-control servers, they mapped Web addresses back to a total of 99 servers — all of them based in China, Hong Kong and the United States — and believe the number of compromised computers is much larger than what they can see.
No comments:
Post a Comment