Chinese Hackers Used Fake Syrian News and Carla Bruni Pics to Attack Foreign Embassies
Remember how, earlier this year, an American security research firm sniffed out a unit of China’s People’s Liberation Army that appeared to be responsible for a series of complicated hacking attacks against numerous American and European companies dating back to the middle of the last decade?
Today there’s news about more Chinese hacking attacks, and this time it’s a campaign against the foreign ministries of several countries. The report comes from the security firm FireEye — the one that went public in the fall — which said it had gained visibility into 23 different servers used to command and coordinate the attacks, which date back to 2010.
“This report demonstrates that attackers are able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place,” the report said.
FireEye researchers have dubbed the campaign “Ke3chang” and said that at least one tactic was to use malware-infected email attachments that appeared to be updates on the unfolding humanitarian crisis in Syria. Ahead of the G20 meeting in Russia over the summer and as news headlines focused on the possibility of a U.S.-led military strike on Syria, attackers used interest in the subject to trick employees at foreign ministry agencies of European countries and their embassies around the world into opening malware-infected documents.
An earlier campaign in 2011 used the lure of a password-protected trove of nude photos of Carla Bruni, wife of Nicolas Sarkozy, the former French president.
A third, in 2012, targeted a company described only as being in the “Chemicals/Manufacturing/Mining Sector” with a campaign using false links to information about the London Olympics.
The decoy in a fourth campaign, also launched in 2012, was a hacking threat report purported to come from McAfee, the Intel-owned security software company.
In each case the decoy files or documents were infected with roughly two dozen variants of three different malware programs: One called BS2005, one dubbed BMW and one known as MyWeb.
Researchers then watched what the malware did: It captured information and forwarded it on to a network of 23 servers, then mapped all the IP addresses that resolved to the domains. Then they collected the domain names that resolved to those IP addresses and determined that the network of command and control servers could be as high as 99. Most of those were located in either the U.S., China or Hong Kong.
Since the location of the servers doesn’t necessarily mean that the attackers were from China or even necessarily Chinese, they tried to perform what’s called an “attribution analysis.” Clues within the malware files, including linguistic characteristics, suggest that whoever built the malware used Chinese language characters, FireEye says. Additionally, a control panel used to interact with compromised machines contained a mix of English and Chinese commands. Test runs of the detected malware also suggested that the creators built the programs on Windows machines with the default language set to Chinese.