On 2 April, hacker Hardcore Charlie announced, “Today us prezenta recently owneed chino military kontraktor CEIEC...” The files apparently demonstrate that the Chinese military contractor had itself already obtained sensitive US documents relating to operations in Afghanistan. CIEC denies this. It states, “The information reported is totally groundless, highly subjective and defamatory... CEIEC reserves the right to take legal action against the relevant responsible individuals and institutions.”
Reuters also suggested that the documents might be untrustworthy. “In particular, the hacker said he worked with an associate who calls himself YamaTough... YamaTough had also been involved in an incident in which fake documents, purportedly from Indian military intelligence, were mixed with genuinely purloined documents, raising the possibility Hardcore Charlie had pursued a similar strategy in posting the alleged CEIEC documents.” It is possible, given that Charlie’s announcement follows so closely on the heels of the start of Anonymous’ campaign against China, that this could be Anonymous’ own propaganda. The question, then, is who really did what to whom?
Shadowserver has tried to find out. “We spent the last six days or so digging through malicious documents that we found as part of the purported CEIEC document dump from Hardcore Charlie,” it announced yesterday. “Are the documents legitimate?” it asked. “Where were they original stolen from? If these were really stolen twice, who stole them first? We unfortunately do not have the answer to any of these questions.”
But it found something different. In a folder relating to Vietnam it found eight different malicious documents. “Two of the backdoors were unfamiliar to us and the other two were the well known Poison Ivy RAT and the Enfal/Lurid. At least one hostname could be tied back to a known set of persistent actors engaged in cyber espionage.” Shadowserver speculates that the presence of this malware in the stolen documents is indicative of “yet another cyber espionage campaign against Vietnamese interests.”
David Harley, a senior research fellow with ESET, looked at the malware being used. Everybody lies about what they may or may not be doing in cyber-espionage, so there is simply no way to know who is telling the truth, but it was the apparent age of the malware that interested him most. “If Shadowserver’s guess at the age of the malicious documents being a year or so is correct,” he told Infosecurity, “this suggests that whoever is behind the attacks was already finding that 0-day and even 1-day exploits were already considered as not necessarily more effective than exploitation of vulnerabilities already patched and forgotten about.” This, he said, is depressing, since “it suggests that much of the effort we’ve put into getting people to patch in a timely fashion has been wasted breath.”
“Microsoft patched the two vulnerabilities used in these attacks quite some time ago. They patched CVE-2009-3129 with MS09-067 and CVE-2010-3333 with MS10-087,” confirms Shadowserver. “Staying current with the latest versions and security patches for any software you run is highly recommended.”