FireEye report: Chinese hackers target foreign ministries

Dec. 13, 2013 at 2:01 AM
share with facebook
share with twitter

BEIJING, Dec. 13 (UPI) -- Cybersecurity company FireEye claims Chinese hackers broke into the computer systems of five European foreign ministries over the summer.

The hackers sent emails with malware attachments purporting to detail a possible U.S. intervention in Syria, the BBC reported.

Nine computers were compromised, the company told the BBC.

The company hasn't revealed which ministries were targeted but said the malware was meant for individuals involved in last summer's Group of 20 talks in St. Petersburg attended by senior government leaders.

A main topic of discussion among the leaders was the Syrian crisis.

FireEye's 23-page report, available on its website, calls the cyber espionage campaign "Ke3chang" where hackers sent out emails that advertised information updates about the Syrian crisis.

"We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010," the report said.

"However, we believe specific Syria-themed attacks against foreign affairs ministries -- codenamed by Ke3chang as 'moviestar' -- began only in August 2013. The timing of the attacks precedes a G20 meeting held in Russia that focused on the crisis in Syria."

FireEye researchers said they were able to monitor one of the Hackers' computer servers for one week.

"When they [the hackers] shift infrastructure, the servers are open. I just happened to check the servers when they weren't secured," senior FireEye researcher Narottama Villeneuve told the BBC.

The report says FireEye "gained visibility into one of 23 known command-and-control servers operated by the Ke3chang actor for about a week. During this time, we discovered 21 compromised machines connecting to the CnC server."

Researchers observed what "appeared to be three administrative tests by the attackers and two connections from other malware researchers."

Among the targets, FireEye said it identified nine compromises at government ministries in five European countries. Eight of these compromises were at ministries of foreign affairs.

"When FireEye had visibility on the CnC server, we saw the attackers engage in post-compromise information-gathering and lateral movement on the target network whereupon FireEye immediately contacted the relevant authorities and began the notification process.

"At that stage, it appeared to be about network reconnaissance," Villeneuve told the BBC. "The hackers were based in China, but it is difficult to determine from a technology point of view how or if it is connected to a nation state," Villeneuve said.

During the week the malware was observed in action, no documents were stolen.

The report by FireEye, based in Milpitas, Calif., comes amid growing Western concern over fears of increasing attacks by Chinese hackers -- some allegedly with government approval or direction.

The Australian government said in May it won't dump its nearly completed spy agency headquarters in Canberra and start building over again, despite allegations Chinese Internet hackers stole the building's blueprints.

Australian Broadcasting Corp.'s investigative program "Four Corners" reported Chinese hackers managed to get into files of top secret detailed blueprints.

The plans reportedly showed details of complex electrical and electronic cabling, security and communications systems as well as floor plans for the headquarters of the Australian Security Intelligence Organization, the Australian reported.

U.S. Defense Secretary Chuck Hagel, on his first trip after taking up the post, publicly rebuked China in June for its alleged cyberespionage operations.

The Voice of America reported Hagel called for China to work with the United States to establish a cyberspace code of conduct.

"The United States has expressed our concerns about the growing threat of cyberintrusions, some of which appear to be tied to the Chinese government and military," Hagel said in a speech to officials of several Asia-Pacific nations gathered for an annual security summit at Singapore's Shangri-La Hotel.

Setting up a joint cyber working group would be "a positive step in fostering U.S.-China dialogue on cyber," he said.

"We are determined to work more vigorously with China and other partners to establish international norms of responsible behavior in cyberspace."

The Chinese government continues to deny any connection to alleged cyberattacks.

Related UPI Stories
Topics: Chuck Hagel, G20
Latest Headlines
Trending Stories