10:00 ET, 11 December 2013

Security experts at FireEye discovered a cyber espionage operation conducted by Chinese hackers on the computer at the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary.

Security experts at FireEye have revealed that they were able to track Chinese hackers spying on EU foreign ministries for about a week. The hackers have targeted the computers belonging at least five European foreign ministries during the G20 meeting, a total of nine computers had been compromised.

FireEye has omitted to reveal the identity of the ministries, but confirmed the cyber espionage operation targeted participants to the annual summit of the G20 group of nations in St Petersburg in September. The New York Times has reported the name of the countries victims of the attacks … Czech Republic, Portugal, Bulgaria, Latvia and Hungary.

The Chinese group campaign behind the campaign was codenamed the “Ke3chang” due the names of one of the files used in its malicious code.

The method of attack is usually, a spear phishing attack tried to lure victims to open the attachment containing a malware. To deceive the recipient, the attackers used attachments pretending to provide details on a possible US military intervention in Syria. Let’s consider that the principal argument of the talks during the G20 was the civil war in Syria.

On August, FireEye researchers had the opportunity to monitor one of the 23 computer servers used by the Chinese hackers for the attacks, during the week the attackers operated without stealing any documents, security experts believe that the incursion was part of a network reconnaissance as confirmed by Narottama Villeneuve, a senior FireEye researcher.

“At that stage it appeared to be about network reconnaissance,” “they appeared to be specifically targeting foreign ministries” said Mr Villeneuve.

The researchers also revealed that his team was able to monitor the Chinese hackers for a limited period of time, a week spent by the group of hackers to “shift” the architecture.

“When they shift infrastructure, the servers are open. I just happened to check the servers when they weren’t secured,” he said.

The principal problem in this case is the attribution of the attack, despite it is clear the origin of the group it is quite difficult to link it to a state-sponsored hacking strategy.

“The hackers were based in China but it is difficult to determine from a technology point of view how or if it is connected to a nation state,” he added.

The Ke3chang group is an old acquaintance for FireEye, in the past the group targeted energy and aerospace companies and has conducted malware-based attacks against government organizations and hi-tech companies.

The Ke3chang group in 2012 adopted the same method of attack using a London Olympics themed mail and a “year earlier used emails purporting to show nude pictures of the then French president’s wife, Carla Bruni,”.

This is just last act of cyber dispute between China and the West.

Pierluigi Paganini

(Security Affairs –  Chinese hackers, FireEye)

 

rsa-logo