China-Based Hacking Group Targets Diplomats, Infiltrates Resellers


Security researchers have detected a new cyberespionage campaign that has successfully compromised diplomatic missions, including targeting officials attending the G20 Finance Ministers meeting held in Russia this summer. The group's scope, however, includes other targets as well, such as service providers, consultancies and resellers.

Researchers at Milpitas, Calif.-based security firm FireEye said they uncovered a new wave of attacks by a group it calls "Ke3chang," which is believed to have successfully infiltrated government ministries in five different European countries. In a report issued this week, the company said attackers are operating out of China and have been active since at least 2010. But the latest round of attacks that the firm uncovered against the foreign ministries are Syria-themed, FireEye said.

"The timing of the attacks precedes a G20 meeting held in Russia that focused on the crisis in Syria," FireEye said in its report.

[Related: SMBs Not Immune To Targeted Attacks]

The advanced persistent threat was polished and ultimately targeted a narrow number of individuals, but attacks have been traced to a broad range of industries. FireEye said that in only one week it observed 21 compromised systems attempting to contact one of 23 known command-and-control (CnC) servers operated by Ke3chang.

"When FireEye had visibility on the CnC server, we saw the attackers engage in post-compromise information gathering and lateral movement on the target network, where upon FireEye immediately contacted the relevant authorities and began the notification process," the firm said in its report.

Diplomats are not the only target of the hacking group, FireEye said. Aerospace, defense and airlines are top targets, followed by high tech firms and services, including consultancies and resellers, the firm said.

It's the second time that a cyberespionage operation has been linked to attacks against the channel. The hacking groups apparently use the information from consultancies and resellers to better craft an attack against the ultimate target, say security experts. The Ke3chang group selects its targets carefully and has used three malware families since 2010, embedding them in file attachments and malicious links in email messages.

Attacks against a wide range of individuals that service and support the ultimate target is not uncommon, said Robert Pollock, CEO of Trusted Networks, a New York-based solution provider that focuses on mobile security. Pollock said most firms are woefully unprepared to defend against targeted attacks that use custom malware and social engineering to compromise victims.

"You can't operate anymore with dedicated fiber just for security; everything goes out over the air," Pollock said. "You need a practical approach to managing information by focusing on isolation and system redundancy."

Like other targeted attack campaigns, FireEye said Ke3chang exploits older vulnerabilities in Microsoft Word and Adobe Reader. On at least one occasion, the group used a Java zero-day vulnerability, FireEye said. Attacks have been seen using Windows screensaver files and executable files in spearphishing email messages.

FireEye said the G20 Finance Ministers meetings may have been compromised in the past. A campaign believed to have been conducted in 2011 targeted officials attending the organization's meeting in Paris.

According to the attack analysis, the hacking group uses a Web-based control panel that allows them to interact with compromised computers. An automated scan gathers information about compromised systems and performs reconnaissance work on the endpoint. The attackers then typically steal login credentials and move laterally across the compromised corporate network, FireEye said.

FireEye said technical evidence and linguistic clues within malware samples point to a hacking group operating within China. The group also tested malware in a virtual machine running on Windows systems with the default language set to Chinese, FireEye said.

Other firms have traced attacks to groups based in China. In February, Alexandria, Va.-based Mandiant, a security incident response management company, issued a report linking the Chinese government to cyberespionage operations targeting businesses and government agencies globally.

PUBLISHED DEC. 10, 2013