Chinese hackers used Syrian crisis to phish European governments before G20 Summit

Chinese hackers gained access to several European governments' systems in the run-up to the G20 Summit in September, according to security firm FireEye.
FireEye confirmed detecting a sophisticated advanced persistent threat targeting numerous government officials in its Operation Ke3chang threat report. "As the crisis in Syria escalates, FireEye researchers have discovered a cyber espionage campaign, which we call 'Ke3chang', that falsely advertises information updates about the ongoing crisis to compromise Ministry of Foreign Affairs (MFA) networks in Europe," read the report.

The researchers did not detail the specific countries affected, but confirmed the campaign had compromised at least nine different government ministries. "FireEye gained visibility into one of 23 known command-and-control (CnC) servers operated by the Ke3chang actor for about one week. During this time, we discovered 21 compromised machines connecting to the CnC server," read the report.

"These included what appear to be three administrative tests by the attackers and two connections from other malware researchers. Among the targets, we identified nine compromises at government ministries in five different European countries. Eight of these compromises were at MFAs."

The attackers reportedly used three types of malware to infiltrate the agencies' systems and stole various kinds of information during the cyber raids. "Upon accessing one of the Ke3chang CnC servers, we found that the attackers have a web-based control panel that allows them to interact with compromised computers," read the report.

"Once a compromised system connects to the CnC server, the Ke3chang attackers follow a predetermined script. They first gather information about the local computer and the network to which it is connected. FireEye found the following tools on the CnC server, which the attackers used to steal login credentials and move laterally across the network."

The FireEye researchers said, while it is too early to know if the attack is state sponsored, they did uncover evidence linking the campaign to China. "Using the IP addresses from the 23 CnC servers FireEye collected from our initial samples, we then mapped all the IP addresses that these domains resolved to," read the report.

"We then collected any other domains that also resolved to these IP addresses, resulting in at least 99 possible Ke3chang CnC servers. Upon further analysis, we find that these 99 CnC servers are primarily located in the US, China and Hong Kong."

The Ke3chang campaign is one of many linked back to China. Security firm Mandiant issued a report linking a Chinese military unit based in Shanghai's Pudong district to an international cyber-spying campaign responsible for attacks on at least 141 companies in February. The Chinese government has consistently denied the allegations, arguing that cyber attacks are an issue facing all governments.