December 10, 2013
Security Firm Claims Chinese Hackers Are Spying On EU Ministries
Peter Suciu for redOrbit.com - Your Universe Online
On Monday, Reuters reported that Chinese hackers likely had eavesdropped on the computers of five European foreign ministries in advance of last September’s G20 summit, which was held in St. Petersburg, Russia. This is according to research that was conducted by California-based computer security firm FireEye Inc.
The New York Times on Tuesday reported that the foreign ministries included those of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary.
The attacks reportedly began in 2010 and could be continuing, but FireEye has been unable to link the attacks to a specific group within China. The security firm does believe the list of victim’s points to a state-affiliated campaign.
“Unlike other groups, which tend to attack commercial targets, this campaign specifically targeted ministries of foreign affairs,” Nart Villeneuve, the researcher who helped lead FireEye’s efforts, told the New York Times.
The hackers reportedly infiltrated the ministry computer networks by sending emails that contained tainted files to the respective staff. When the recipients at the ministries opened these tainted documents malware was loaded onto their computers. These files had suggestive titles such as “US_military_options_in_Syria,” which was timely as the G20 summit was dominated by the ongoing crisis in Syria.
“The theme of the attacks was U.S. military intervention in Syria," Villeneuve told Reuters. “That seems to indicate something more than intellectual property theft...The intent was to target those involved with the G20.”
Back in August FireEye had been monitoring one of the 23 computer servers that were used by the hackers. Dubbed the Ke3chang group, after the name of one of the files used in the malware, its activity was monitored until the hackers moved to another server shortly before the start of the G20 summit. The FireEye researchers said they believe that the Ke3chang group was preparing to steal data just as access to the hackers’ activity was lost.
During the time it had access FireEye was able to watch the attackers map out victims’ computer networks and even search for users with privileged access. This provided the researchers with a window to track the hackers’ techniques, as well as their origin.
It was in this that FireEye was able to obtain malware that contained Chinese character strings, while a web page that was used to compromise the computers was reportedly written in Chinese. The Chinese language was also the default language in the malware’s setting.
“Beyond the fact they are Chinese, we don’t know who the attackers are or what their motivations might be,” Villeneuve added to the New York Times.
However, the Chinese government on Tuesday rejected FireEye’s accusation.
“U.S. computer security firms have been keen on playing up the so-called cyber threat from China. But their so-called evidence is never solid but widely doubted by professionals,” Foreign Ministry spokesman Hong Lei said at a daily news briefing as reported by the Xinhuanet news agency. “They are trying to gain attention with fake facts, which will neither be conducive to international cyber security cooperation nor the professional qualifications and reputation of the firms involved.”
Other security firms, including Mandiant, have released reports that found a number of high-profile cyber-attacks conducted against companies in the United States were believed to have been launched from China. Various security firms have been monitoring the activities of a branch of the People’s Liberation Army (PLA), dubbed Unit 61398, which operated out of a 12 story building on the edge of Shanghai.