Cyber-espionage Campaign Ahead of G20 Summit Compromised Several European Ministries

Last summer's G20 Summit was held in St. Petersburg, Russia
Last summer's G20 Summit was held in St. Petersburg, Russia

Security firm FireEye has identified nine compromises at government ministries in five different European countries during this “Operation Ke3chang” initiative; eight of the compromises were at MFAs, it said. Researchers did not make public which MFAs were attacked.

“Large-scale cyber espionage campaigns such as GhostNet have demonstrated that government agencies around the world, including embassies, are vulnerable to targeted cyber-attacks,” FireEye said in the report, which it provided to Infosecurity. “We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010. However, we believe specific Syria-themed attacks against MFAs (codenamed by Ke3chang as ‘moviestar’) began only in August 2013.”

FireEye said that it was able to monitor one of the 23 known command-and-control (CnC) servers operated by the Ke3chang actor for about one week, and saw the attackers engage in post-compromise information-gathering and lateral movement on the target network – in other words, the first hints of cyber-espionage. The firm said that it did not actually witness sensitive data being exfiltrated, but it immediately contacted the relevant authorities and began the notification process anyway.

“During this time, we discovered 21 compromised machines connecting to the CnC server,” researchers said. “These included what appear to be three administrative tests by the attackers and two connections from other malware researchers.”

FireEye said that it had circumstantial evidence that the attack was likely carried out by Chinese hackers – or by actors leaving breadcrumbs meant to point in that direction. But identities and motivations remain unknown.

For one, the Ke3chang CnC control panel contains a mix of Chinese and English words and characters. The subset of CnC servers that were not hosted by dynamic DNS infrastructure was registered using a registrar in China (XIN NET) and the WHOIS records indicate that the registrant is in China. Within the malware binaries themselves, linguistic clues point to the malware authors’ use of the Chinese language. Also, the forensics show that Ke3chang attackers are testing their malware in Windows operating systems, with the default language set to Chinese.

Regardless of the perpetrator, the cyber-espionage threat is clearly escalating and for good reason. “The worldwide deployment of espionage-focused malware has made this generation the Golden Age of espionage,” FireEye researchers said. “Global reach, stealthy maneuvers, legal cover, and plausible deniability — what more could a spy ask for?”

The Ke3chang attackers have used three types of malware over the years and have traditionally targeted the aerospace, energy, government, high-tech, consulting services, and chemicals/manufacturing/mining sectors. “However, the number of attacks against entities in these sectors has been small,” FireEye noted. “The scarcity of individual attacks may indicate the attackers are selective about their targets.”

This particular operation falsely advertised information updates about the ongoing Syrian crisis, which is indicative of the group’s knack for opportunistic targeting. They also used a London Olympics-themed campaign in 2012 and a Carla Bruni-themed campaign in 2011.

In terms of attack vectors, the Ke3chang attackers have typically used topical spear-phishing emails as in this care, with either a malware attachment or a link to a malicious download, FireEye said. But they have also leveraged a Java zero-day vulnerability (CVE-2012-4681), as well as older, reliable exploits for Microsoft Word (CVE-2010-3333) and Adobe PDF Reader (CVE-2010-2883). In the past, Ke3chang attackers have also sent Windows screensaver files (.scr) and executable files (.exe) using the Unicode Right-To-Left-Override (RTLO) technique to cloak the original filename extension from the targeted user, researchers added.

Whatever the vector, the persistence of the threat – and its success – should ring alarm bells, the firm noted. “Attackers are able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place,” FireEye said. “This illustrates the limitations of traditional defenses and highlights the need for security strategies that not only leverage advanced technologies designed to defend against targeted threats, but also the incorporation of threat intelligence and an incident response capability.”

What’s Hot on Infosecurity Magazine?