According to a report from researchers at US security outfit FireEye, a number of computers belonging to diplomats attending the G20 summit in Russia three months ago, including at least five European foreign ministries, were successfully targeted by Chinese hackers.
FireEye researchers had monitored a server, one of 23, used by the Ke3chang group in August. This enabled them to observe the malware in action, although FireEye says no data was stolen as far as they were aware during this period of observation. Naturally the security firm contacted the relevant authorities as soon as it realised what was underway. The circumstantial evidence collected at the time leads FireEye to believe that Chinese hackers were carrying out the attacks, although it admits it could also have been 'other actors' making it look like the Chinese were to blame. In the murky world of international espionage, such things are never usually clear cut. If it were a matter of misdirection, then it would appear to be a cleverly crafted one with Chinese words on the CnC control panels, servers registered in China and linguistic clues within the malware binaries pointing towards a Chinese coder.
The attack, nicknamed Ke3Chang by the researchers, used fairly standard social engineering infection methods such as emails with attachments leading to malware installation once opened. These attachment were well targeted, apparently, with some purporting to be documents revealing a plan by the US to intervene in the Syrian crisis whilst others claimed to be photos of Carla Bruni (glamorous wife of former French President Nicolas Sarkozy) naked. That such methods should work in what you might expect to be a rather tightly secured arena, and I would certainly expect government networks at this level to be just that, is something of a wake up call for everyone. Not least as it suggests that further down the security food-chain, and that means ordinary businesses like yours and mine, the risk of intrusion through such primitive means is likely even greater.
Especially when you also understand that the attack targeted those users with privileged access in order to gain entry to the diplomatic systems. Matt Middleton-Leal, regional director, UK & Ireland at CyberArk says "the alleged methods used by cyber spies in infiltrating the computer systems of European diplomats is a classic example of the tactics in use by today’s cyber criminals. Social engineering has been a key tool for hackers looking to breach a network, whether using spoof emails – as in this case – or even by creating fake websites to take advantage of simple human curiosity. Once inside a target system, criminals almost always seek out the privileged accounts and credentials that exist within, as these provide the most powerful and far-reaching access, allowing attackers to cause the most damage."
So what should the average business take away from all this? Simple: the most effective place to begin when securing corporate networks is from within. Privileged accounts and credentials are not only vulnerable to abuse or accidental misuse by employees, but are also a highly sought after target of external attackers, as seen in almost all data breaches in recent years. “With the stakes higher than ever, it is essential that organisations are fully aware of their privileged account security problem, whether in corporate networks or Government organisations" Middleton-Leal warns, concluding "furthermore, all privileged user access and activity should be monitored and controlled, with a system in place to flag any suspicious behaviour, allowing incident response teams to intervene in real-time and before any damage is done."