Chinese Hackers Spied on Europeans Before G20 Meeting: Researcher

G 20 Meeting in St. PetersburgFrom Jim Finkle, Reuters:  Chinese hackers eavesdropped on the computers of five European foreign ministries before last September’s G20 Summit, which was dominated by the Syrian crisis, according to research by computer security firm FireEye Inc.

The hackers infiltrated the ministries’ computer networks by sending emails to staff containing tainted files with titles such as “US_military_options_in_Syria,” said FireEye, which sells virus fighting technology to companies.

When recipients opened these documents, they loaded malicious code on to their personal computers.

For about a week in late August, California-based FireEye said its researchers were able to monitor the “inner workings” of the main computer server used by the hackers to conduct their reconnaissance and move across compromised systems. . . .

“The theme of the attacks was U.S. military intervention in Syria,” said FireEye researcher Nart Villeneuve, one of six researchers who prepared the report. “That seems to indicate something more than intellectual property theft…The intent was to target those involved with the G20. . . .”

Villeneuve said he was confident that the hackers were from China based on a variety of technical evidence, including the language used on their control server, and the machines that they used to test their malicious code. . . .

FireEye said it had been following the hackers behind the Syria-related attack for several years, but this is the first time the group’s activities have been publicly documented. The company calls the group “Ke3chang,” after the name of one of the files it uses in one of its pieces of malicious software.

FireEye said it believed the hackers dubbed the Syria-related campaign “moviestar” because that phrase was used as a tag on communications between infected computers and the hackers’ command-and-control server.

In 2011, the group ran another operation dubbed “snake”, which enticed victims with a file that FireEye said contained nude pictures of Carla Bruni, the Italian-French singer, songwriter and model who in 2008 married then French President Nicolas Sarkozy.

The host name for that campaign’s command-and-control server contained the string “g20news”, which might indicate that it was related to the G20 Finance Ministers meeting in Paris in 2011, FireEye said.

From Nicole Perlroth, New York Times:  Computer breaches at the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary have been traced to Chinese hackers.

The attacks, which began in 2010, are continuing, according to a report to be released Tuesday by FireEye, a computer security company in Milpitas, Calif.

Though researchers do not name the hackers’ targets in the report, The New York Times identified the foreign ministries through email addresses listed on the attackers’ web page. A person with knowledge of the investigation, who was not authorized to speak publicly, confirmed that the foreign ministries of the five countries had been breached. . . .

The FireEye report does not link the attacks to a specific group in China, but security experts say the list of victims points to a state-affiliated campaign.

“Unlike other groups, which tend to attack commercial targets, this campaign specifically targeted ministries of foreign affairs,” said Nart Villeneuve, the researcher who helped lead FireEye’s efforts. . . .

Security experts say foreign ministries have long been a target for Chinese hackers. James A. Lewis, a former State Department official and senior fellow and director at the Center for Strategic and International Studies in Washington, said past hacking attacks on the foreign ministries of Australia, Britain, Germany, France, India and Canada had all been traced to the Chinese government.

“The Chinese are eager to look at foreign ministries to glean trade information and because they can read what foreign diplomats are saying about the Americans or Japanese,” he said.

Rob Rachwald, FireEye’s senior director of research, said the company had witnessed other campaigns in which attackers had broken into foreign ministries and think tanks to steal early drafts of policy papers specifically related to China. . . .

FireEye said the Ke3Chang attackers have taken great pains to mask their activities by frequently switching out their hacking tools. And though researchers have only identified 23 of the attackers’ command-and-control servers, they mapped Web addresses back to a total of 99 servers — all of them based in China, Hong Kong and the United States — and believe the number of compromised computers is much larger than what they can see.

“It is so easy to hack foreign targets, intelligence agencies can’t resist,” said Mr. Lewis.

Image: G 20 Meeting in St. Petersburg (photo: Office of the President of Russia)