The so-called "Luckycat" campaign has been active since at least June 2011 and has been linked to 90 attacks that use malware tailored for each victim, security vendor Trend Micro said in a report released Friday.
"This illustrates that the attackers are both very aggressive and continually target their intended victims," the report said. "These are not smash-and-grab attacks, but constitute a campaign comprising a series of ongoing attacks over time."
The hackers targeted military research institutions and shipping companies in India; energy, engineering and aerospace entities in China and 30 computers of Tibetan activists. Trend Micro researchers traced the attacks to an e-mail address used to register a command-and-control server. They also mapped the address to a Chinese instant messaging screen name and from there to an online alias, "scuhkr."
The New York Times reported that it traced the alias to Gu Kaiyuan, a former graduate student at Sichuan University in Chengdu, China. The university receives government funding for computer network defense, the newspaper said. According to online records obtained by the Times, Gu is now apparently working for Tencent, a leading Internet portal company in China.
While studying at Sichuan University from 2003 to 2006, Gu wrote numerous articles about hacking under the alias "scuhkr," which is believed to stand for "Sichuan University hacker," according to the Times. The report found that "scuhkr" had recruited other university students for a network attack and defense research project at the university's Institute of Information Security in 2005.
The Times reached Gu at Tencent and asked him about the attacks. "I have nothing to say," he told the newspaper.
Security experts have said China will use people outside the government for hacking operations, which researchers call campaigns. Trend Micro found that malware used in Luckycat were also used in a campaign called "Shadownet,” an indication that there may have been some collaboration. Shadownet has also targeted Tibetan activists and the Indian government.
In both campaigns, e-mails tailored to the recipients are used to get them to click on an attachment that then infects the computer with malware, taking advantage of vulnerabilities in Microsoft Office and Adobe software. Once the malware connects to the hackers' server, additional code is installed to establish control over the system.
In the Luckycat campaign, e-mails sent to Japanese targets took advantage of the confusion following last year's tsunami, the report said. E-mail sent to Indian military institutions contained information on the country's ballistic missile defense program, while messages sent to Tibetan activist used the theme of self-sacrifice.
Security vendor Symantec uncovered the campaign two weeks ago, naming it Luckycat after the login name of one of the other attackers, according to the Times. Without knowing about Symantec's work, Trend Micro released a far more detailed report.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

EPOS
EPOS

Fujifilm
Fujifilm

Dell Technologies
Dell Technologies Storage Learning Center

Mimecast
Mimecast

Carbonite
Cloud Storage 360

Application Integration 360

Hitachi Vantara
Hitachi Vantara

Dell Technologies
Dell Technologies Cloud Learning Center

Tenable
Cyber Risk 360

Webroot
Webroot Learning Center

NPD
Industry Trends 360

BlackBerry
BlackBerry Learning Center

Symantec
Symantec Business Security Learning Center

Sherweb
Sherweb

Acer
Remote Workforce 360

APC by Schneider Electric
Digital Services for Edge Learning Center

Channel Chief Showcase

StorageCraft
Disaster Recovery Learning Center

Vertiv
Edge Computing Learning Center

Wasabi
Wasabi

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Cradlepoint
5g for Business 360

Comm100
Collaboration & Communications 360

Veeam
Veeam

Smart 3rd Party
3rd Party Maintenance 360

Sophos
Sophos Cybersecurity Learning Center

Trend Micro
Trend Micro Learning Center

VMware

Dell Technologies
Dell Technologies Server Learning Center

HubStor
Cloud Backup 360

eSentire
Managed Detection and Response 360
