Chinese hackers have successfully infiltrated five European Foreign Ministries and targeted other Western industrial companies using lures ranging from files on the Syria political crisis to nude photos of France's former First Lady Carla Bruni, according to FireEye researchers.
The research team caught sight of the group, known as ‘Ke3chang', when they successfully hacked the ministries of five different European countries in nine separate attacks just before the G20 leaders' summit held in St Petersburg, Russia on 5-6 September.
The White Hats – who include respected senior threat intelligence researcher Nart Villeneuve, known for his investigations into Chinese eavesdropping on Skype - lost track of Ke3chang a week later when they moved servers, but found out enough to establish that the hackers had been operating since at least 2010.
According to FireEye, Ke3chang typically attack using spear phishing emails with either a malware attachment or link to a malicious download. And as well as European governments, they have targeted a small number of aerospace, energy, high-tech, consulting services and chemicals/manufacturing/mining companies.
The group remain active. Villeneuve told SCMagazineUK.com that the most recent malware he had seen Ke3chang send out was on 5 November, before emphasising how dangerous they are and how easily they have got through defences.
He told SC: “We do know at least those five ministries were compromised - and this was just one of 23 command and control servers that the attackers have. Given that this particular one was successful, I assume there were others that were successful as well.”
And he warned: “Some people tend to think that all of these kind of attacks use Zero Day exploits, for example, but the attackers will often use older exploits or in this particular case no exploit at all. Sometimes the simplest attacks are all the attackers need to conduct in order to be successful.
“It is definitely interesting to me that these simple attacks continue to work and the attackers only need to use the level of sophistication required to compromise their attacks - which in some cases doesn't have to be very high.”
Richard Stiennon, chief research analyst at independent analyst firm IT-Harvest, picked up on the need for users to beef up their cyber security awareness, telling SCMagazineUK.com: “By now no-one is surprised by Chinese espionage at world confabs like the G20. For that matter it is beginning to feel like a Peter Sellers plot with the NSA also spying on the G20 Summit in Canada in 2010. The good news should be that all of these diplomatic missions can now cast aside their resistance to deploying good security measures.”
FireEye's researchers say Ke3chang's attack In August, codenamed ‘moviestar', was based on offering victims a link to information about the Syrian crisis – which was the focus of the G20 summit.
Other lures used in the past include the Carla Bruni-themed campaign in 2011 and a London Olympics-themed campaign in 2012.
The 2011 campaign, dubbed ‘snake' by the attackers, used a link to “First Lady Nude Photos” as its lure. FireEye believes that the targets of this campaign may have been people involved in the G20 Finance Ministers meeting held in Paris in October 2011.
The 2012 attack used false information about the London Olympics in an attempt to lure people into clicking on malicious attachments. This campaign targeted a single firm in the chemicals/manufacturing/mining sector.
Three months later, FireEye identified a campaign whose decoy content was a threat report from McAfee. This too targeted a single firm in the services/consulting sector.
Villeneuve explained why they thought the hackers were of Chinese origin. “The malware that was used was developed in the Chinese language. The command and control interface – basically a web page that the attackers use – was also in Chinese. The malware sent back information which also points to the fact that the attackers are operating in Chinese. These indicators lead us to believe that the attackers are operating from China.”
But FireEye acknowledged this is only “circumstantial evidence” and that the attackers are not necessarily linked to the Chinese government. Indeed, their exact identities and motivation remain unknown.
The researchers say that once they spotted the attackers' activity, they immediately notified the relevant authorities and began notifying the targets involved.
They added: “At that time, FireEye did not observe the attackers exfiltrating sensitive data; however, we believe the Ke3chang attackers likely began attempting to exfiltrate sensitive data shortly thereafter. Accordingly, diplomatic missions, including Ministries of Foreign Affairs, continue to be targeted by malware-based espionage campaigns.”
The six-strong research team were Nart Villeneuve, along with James T Bennett, Ned Moran, Thoufique Haq, Mike Scott and Kenneth Geers.