Chinese Hackers Used G20 Summit to Spy on European Leaders

 

The cyber espionage operation was narrowly targeted and used phishing emails with malicious attachments that had titles referring to the Syrian crisis, such as "US_military_options_in_Syria," according to computer security firm FireEye, which uncovered the campaign.
The Syria-themed campaign, which hackers themselves dubbed "moviestar," was part of a larger espionage operation dating back to at least to 2010. The researchers at FireEye are calling the hacker group "Ke3chang," and they believe it is still active. The researchers are going as far as to say that the hackers are Chinese, although it's unclear whether they have ties to the Chinese government.
This new cyber campaign underlines once again how skilled Chinese hackers can be at spying and hacking foreign targets.
Last year, Mandiant, another security firm, unmasked the hackers behind some of the most effective cyberattacks and espionage campaigns against the United States, pointing fingers directly at a secretive group within the Chinese army.
Contrary to those widespread attacks, and despite having been active since 2010, this new group of hackers has been relatively quiet and greatly limited their operations.
"[The hackers] seemed to specifically target ministries of foreign affairs," Nart Villeneuve, FireEye's lead researcher in this investigation, told Mashable. "The number of attacks that we were able to find is relatively small compared to a lot of other campaigns. To me this suggest that the attackers are very specific about who they target."
In this case, their targets were the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia, and Hungary, according to The New York Times. Asked about the list, Villeneuve declined to confirm it, saying that FireEye won't reveal any identifying information about the targets, which have been notified privately.
At this point, it's impossible to know why the hackers were so limited in their targets.
Adam Segal, a fellow at the Council on Foreign Relations and expert on cybersecurity and China, told Mashable that in previously uncovered Chinese hacker campaigns the targets were in the hundreds, which made this new attack interesting.
"If they were more selective," Segal said, that "could either reflect a lack of interest, or a greater degree of precision on what they were looking for."
Villeneuve had been monitoring the group's activities since last year, but the breakthrough came in August, when the hackers made a mistake configuring the web interface they used to navigate inside the compromised networks. For about one week, the firm's researcher could observe the hackers movements on one of their servers.
The researchers observed that once the targets opened the attachment, a piece of malware installed what FireEye defined as a "typical first stage backdoor" which gave the hackers a lot of freedom.
"They had full control over a compromised system," Villeneuve said.
What the researchers saw were really cautious attempts to gain more access and move from computer to computer, but they didn't see any data theft before they lost access to the hackers' command and control servers. Villeneuve said that at that point the hackers were probably preparing to start stealing data.
In an earlier, separate campaign the hackers used less business-oriented bait to get access to their victims' computers — an email attachment promising nude pictures of then French president Nicholas Sarkozy's wife Carla Bruni. In yet another one, they faked sending a threat report from a well-known security vendor.