European diplomats and ministries of foreign affairs have been targeted during recent G20 meetings by Chinese-speaking hackers conducting espionage campaigns using malware to siphon secrets from compromised computers.
The latest incidents came in August when spear phishing messages spiked with attachments promising information on U.S. military options in Syria zeroed in on diplomats and foreign ministers prior to the G20 Russia Summit in St. Petersburg in September.
Researchers at security company FireEye infiltrated a command and control server used in this campaign and observed communication between 21 compromised machines and the C&C server; nine of the compromised machines were beaconing back from ministries in five European countries and eight from ministries of foreign affairs. The remainder of the connections were made either by the attackers or security researchers.
Once on a victim’s machine, the attackers were able to use a variety of malicious code samples to not only steal data but also legitimate credentials in order to move laterally on the victim’s networks seeing more vulnerable systems and exposed data.
The attacks, which FireEye said have been active since 2010, have also been used against targets in aerospace, energy, government, high tech, consulting and services, chemicals, manufacturing and mining industries. The lures have been target-specific as well; in separate campaigns, the London Olympics of 2012 as well as the promise of illicit photographs of French first lady Carla Bruni were themes.
The spear-phishing emails are laced with links to sites hosting malware downloads or malicious attachments—a cocktail of malicious screensavers, Java, Microsoft Word and Adobe PDF exploits, some dating back to 2010.
FireEye estimates there were as many as 23 command and control servers used in the G20 Russia campaign, dubbed Ke3chang, in a complicated, well thought-out campaign targeting high-profile, influential government officials.
“The scarcity of individual attacks indicate the attackers are selective about their targets,” said Nart Villeneuve, a researcher with FireEye, adding that the company has already been in contact with relevant authorities about the attacks.
The malware used by the Ke3chang attackers has evolved; FireEye believes there are three distinct signposts where malware changed and improved with additional features and capabilities.
“We believe these three types of malware are an evolution of a single project from a single developer or small team of developers sharing code,” Villeneuve said, adding that the attacks not only establish a backdoor connection, but enables the attackers to upload more malware, download files, run shell commands and even put the attack to sleep if so desired. All of the communication is done over HTTP, he said.
The current version of the campaign, called BS2005, capitalized on the possible U.S. military intervention in Syria late this summer. The attackers packaged the malware in a ZIP filed called “US_military_options_in_Syria.pdf.zip” that contained an executable of the same name. The executable was a loader that dropped an executable called ie.exe that was compiled in July that acted as the backdoor calling to an IP address at 122[.]10[.]83[.]51. The samples also contained tags that allowed the attackers to monitor victims. The attackers also took great care to disrupt any attempts by security researchers to analyze the malware or the campaign. For example, the malware kills any processes related to maxthon, a free Chinese browser, or 360se, a free Chinese antivirus product.
In addition to this summer’s G20 campaign, the same campaign targeted the 2012 London Olympics, targeting a single chemical manufacturer with a phony PDF schedule of the Summer Games, as well as the 2011 Paris G20 Summit, this time promising nude pictures of Bruni, the wife of French president Nicolas Sarkozy.
An older campaign, called MyWeb, targeted security and defense industries and introduced an anti-sandboxing feature as well as a sleep value relative to the malware’s ability to beacon back to C&C servers.
All three malware families used by this gang used domains from dynamic DNS providers for their command infrastructure and all share common IP addresses. FireEye’s mapping and correlation of those addresses leads its researchers to believe there could by as many as 99 C&C servers, largely in the U.S., China and Hong Kong. Once on a victim’s machine, the script is similar: the malware gathers system and network information and uses a number of malicious executables to steal credentials and attempt to move laterally on the network. It also has the capability of grabbing network group information and looks specifically for domain administrators and those in charge of system access.
FireEye said the attacks against diplomats continue.
“This report demonstrates that attackers are able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place,” Villeneuve said. “This illustrates the limitations of traditional defenses and highlights the need for security strategies that not only leverage advanced technologies designed to defend against targeted threats, but also the incorporation of threat intelligence and an incident response capability.”
Download Fireeye’s report here.