Chinese hackers supposedly targeted European diplomats from various countries just before the G20 summit with Carla Bruni's nude photos as bait.
The U.S. National Security Agency (NSA) has been in a lot of controversy regarding the Edward Snowden hacking episode. Even its British counterpart, the GCHQ, has been criticized for tapping phones of world leaders. However, a recent FireEye report suggests that Chinese hackers managed to stay under the radar even as they tried to breach computer systems of foreign embassies of several European nations for the past few years. The report, which has dubbed the hacking campaign as Operation Ke3chang, does not reveal the name of the nations whose computer security systems were compromised. However, The New York Times said that Portugal, Hungary and the Czech Republic were among the countries targeted.
Per FireEye, the Chinese hackers launched attacks on their targets by sending malware-infected emails that purportedly contained nude photos of Carla Bruni (wife of former French President Nicolas Sarkozy) or supposed updates on the humanitarian crisis in Syria. One malware-infected email was in the guise of a hacking threat report purportedly sent by McAfee.
Once the computer was infected, FireEye said, the malware would collect all the information and forward it to a network of command and control servers, which could be as high as 99. Most of these servers were traced to be located in China and Hong Kong and some in the U.S.
FireEye said it had no evidence that the hacking campaign had the support of the Chinese government but the malware was programmed in Chinese language and the control panel used to interact with the infected machines contained a mix of English and Chinese commands.
"Traditionally, the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download. They have also leveraged a Java zero-day vulnerability (CVE-2012-4681), as well as older, reliable exploits for Microsoft Word (CVE-2010-3333) and Adobe PDF Reader (CVE-2010-2883)," says the FireEye report.
"This report demonstrates that attackers are able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place," the report said.
FireEye said that for around a week in August, its researchers were able to monitor some of the activities of the hackers. However, it lost track of the Chinese hackers after they moved to another server just before the G20 Summit in St. Petersburg, Russia. FireEye believes that the hackers were arranging to commence stealing classified data just when FireEye's researchers lost track.
"Diplomatic missions, including ministries of foreign affairs, are high-priority targets for today's threat actors," said Darien Kindlund, manager of threat intelligence at FireEye. "Large-scale cyber espionage campaigns have demonstrated that government agencies around the world, including embassies, are vulnerable to targeted cyber attacks."
The report also says that the Ke3chang hackers also sent Windows screensaver files and executable files using the "Unicode Right-To-Left-Override (RTLO)" technique to hide the original filename extension from the targeted user.
