China Is Tied to Spying on European Diplomats
The New York Times, 10 December 2013
SAN FRANCISCO — Computer breaches at the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary have been traced to Chinese hackers.
The attacks, which began in 2010, are continuing, according to a report to be released Tuesday by FireEye, a computer security company in Milpitas, Calif.
Though researchers do not name the hackers’ targets in the report, The New York Times identified the foreign ministries through email addresses listed on the attackers’ web page. A person with knowledge of the investigation, who was not authorized to speak publicly, confirmed that the foreign ministries of the five countries had been breached.
Even as revelations by Edward J. Snowden about surveillance conducted by the National Security Agency and its intelligence partners dominate attention, the FireEye report is a reminder that Chinese hackers continue to break into the computer systems of governments and firms using simple, email-based attacks.
The FireEye report does not link the attacks to a specific group in China, but security experts say the list of victims points to a state-affiliated campaign.
“Unlike other groups, which tend to attack commercial targets, this campaign specifically targeted ministries of foreign affairs,” said Nart Villeneuve, the researcher who helped lead FireEye’s efforts.
Last year, Mr. Villeneuve, then a researcher at Trend Micro, a security company in Tokyo, traced a series of attacks on firms in Japan and India, as well as Tibetan activists, to a former graduate student at Sichuan University who had joined Tencent, China’s leading Internet company.
Mr. Villeneuve said the current hacks were highly selective. Researchers first began tracking the campaign — which they call “Ke3Chang” after a reference buried in the malware code — in 2011. That October, various Group of 20 finance ministers were targeted during a summit meeting in Paris.
The attackers sent their targets emails with a link that claimed to contain naked photos of Carla Bruni-Sarkozy, wife of former President Nicolas Sarkozy of France. Once clicked, attackers were able to gain a foothold into their targets’ computer networks, though investigators said they were unable to see which files the attackers had taken. The closest they came was last August when FireEye’s researchers were able to infiltrate one of the group’s 23 command-and-control servers for one week. They could see that the server had breached 21 different targets, including government ministries in the five European countries.
They watched as attackers mapped out victims’ computer networks, searching for users with privileged access who would allow them entry into the computers of high value targets.
That glimpse gave researchers a rare window into the attackers’ techniques and clues to their origin. Their malware contained Chinese character strings and one Web page used to compromise computers was written in Chinese. They also used several machines to test their malware which used the Chinese language as the default setting.
“Beyond the fact they are Chinese, we don’t know who the attackers are or what their motivations might be,” Mr. Villeneuve said.
China’s Foreign Ministry officials have said China does not sanction hacking, and is itself a victim of hacking attacks. A spokesman for the Chinese Foreign Ministry did not return a request for comment on Monday.
Security experts say foreign ministries have long been a target for Chinese hackers. James A. Lewis, a former State Department official and senior fellow and director at the Center for Strategic and International Studies in Washington, said past hacking attacks on the foreign ministries of Australia, Britain, Germany, France, India and Canada had all been traced to the Chinese government.
“The Chinese are eager to look at foreign ministries to glean trade information and because they can read what foreign diplomats are saying about the Americans or Japanese,” he said.
Rob Rachwald, FireEye’s senior director of research, said the company had witnessed other campaigns in which attackers had broken into foreign ministries and think tanks to steal early drafts of policy papers specifically related to China.
Mr. Rachwald said FireEye had notified the latest victims but that in many cases they only deployed bare basic computer security defenses in response.
David Frous, a deputy spokesman for the Czech Republic’s Ministry said the ministry could not comment. “However, I can assure you every precaution to prevent hacking on our computer systems is being made,” he said.
Karlis Eihenbaums, a spokesman for the Latvian Foreign Ministry, said the ministry had no comment. Spokesmen for the Portuguese, Hungarian and Bulgarian foreign ministries did not respond to requests for comment.
FireEye’s researchers have traced three different variants of malware back to Ke3Chang. From there, they were able to see that the same attackers had also targeted organizations in the aerospace, energy, high-tech, consulting, chemical, manufacturing and mining sectors.
Most recently, the attackers have tried to bait targets into clicking on a link in an email purporting to contain information about possible American military intervention in Syria. Researchers say the emails predated the most recent G-20 meeting in Russia last September.
Using current events to bait targets is nothing new. In March 2012, researchers say the same group used an email about the London Olympics. Three months later, the same group repurposed a security report from McAfee, the antivirus software pioneer, and loaded it with malicious code so that as soon as a target clicked on the attachment, attackers gained a foothold into their machines.
FireEye said the Ke3Chang attackers have taken great pains to mask their activities by frequently switching out their hacking tools. And though researchers have only identified 23 of the attackers’ command-and-control servers, they mapped Web addresses back to a total of 99 servers — all of them based in China, Hong Kong and the United States — and believe the number of compromised computers is much larger than what they can see.
“It is so easy to hack foreign targets, intelligence agencies can’t resist,” said Mr. Lewis.