December 10, 2012

Hardly a week goes by without news of a cyber espionage attack emanating from China that is focused on extracting sensitive data from corporations and research centers in the United States. But analysis of a recent malware campaign suggests that cyberspies in that region may be just as interested in siphoning secrets from Russian targets.

The Cyrillic text used in the decoy document.

Researchers at Milpitas, Calif. based security firm FireEye say they spotted an email attack of apparent Chinese origin that used Russian language lures to steal data from mostly Russian victims. The email malware campaign embedded a Microsoft Word exploit that displayed a decoy document containing news about a meeting of ASEAN, the Association of Southeast Asian Nations.

According to FireEye’s Alex Lanstein, this campaign had its control infrastructure in Korea and Japan, but clues point to Chinese design and operation. The malicious Word document sample that kicked this off was authored from a Microsoft Windows system that was set to use the language pack “Windows Simplified Chinese (PRC, Singapore). The researchers also say they were able to gain access to the control server used in the attack, which revealed systems logging in from China to check on new victims.

Update, 1:05 p.m. ET: FireEye just published a blog post about this research, which indicates they now believe the likely source of this attack was Korea, not China. The headline to this story has been modified..

The attackers responsible for this campaign apparently did little to obfuscate the “drop site” where the passwords and other data stolen from victim machines was being deposited; FireEye found that the purloined information was sent to a public message board that does not require authentication. Lanstein said the company is still working to decrypt the stolen data, but that a majority of the victim PCs traced back to Internet addresses in Russia, and included the SuperComputer Center of the Russian Academy of Sciences, as well as other Russian research and educational institutions (PDF).

“This case was interesting because it’s offensive cyber stuff that doesn’t seem to include the United States,” Lanstein said. “It’s also interesting because the attackers did not use very sophisticated methods, yet they were able to compromise some high profile targets while hiding in plain sight. It cost them nothing, and it shows that you don’t need to use the latest tools to develop your own espionage network.”

13 thoughts on “Espionage Attacks Against Ruskies?

  1. Old School

    “According to FireEye’s Alex Lanstein, this campaign had its control infrastructure in Korea and Japan, but clues point to Chinese design and operation.” Is there any information like IP addresses that would point to exactly where in Korea or Japan?

  2. Лена гиена


    Холодная война, то сделано!

    Как вам не стыдно использованием этнических клевета!

    Я русский и горжусь этим!

    1. JCitizen

      What slander?
      You’re a Rushkie!
      I’m a Yank!
      What could be wrong with that!? 😀

      The complaint should be with the Koreans(North or South we do not yet know)

  3. JB3

    “All is fair in love and… cyberwar”

    Why wouldn’t they? If allies spy on allies, then everything else is pretty much fair game.

    Also, if the honey pot is the U.S. (or other western nations), you can expect China to also direct their attention at other third parties (in this case the Russians) that may have greater vulnerabilities while also be gathering info from and about western honey pots.

  4. Richard Steven Hack

    It would be interesting to see how much Israeli cyber-espionage is going on against the US and Russia. Israel is a hot bed of computer hackers and computer security outfits, but aside from some local computer crime stories one never hears about anything originating from there – unless it’s about Iran.

    The same tactics being applied against Iran could easily be applied against the US – and Israel has never hesitated to spy against the US. The FBI always has them high on the list of countries which are running active intelligence operations against the US.

    Given the Russian opposition to an Israeli strike on Iran, not to mention all the Russian Jewish oligarchs who emigrated to Israel, I would imagine Russia is also a major target of Israeli cyber-crime and cyber-espionage.

    The US is a top target just because it’s the biggest target. It’s no surprise other countries are also targets, especially if their security isn’t up to the (ridiculously low) US standards.

    1. JCitizen

      Uh, – I don’t know if you can call it spying when we give Israel carte blanche to surveil us at all times. They have the inside game on.

      1. Uzzi

        …and for now no one can tell that Mossad isn’t behind all espionage attacks worldwide – every Tom, Dick and Harry can hire chinese cybercrooks, not just Apple. */duck* 🙂

        1. JCitizen

          You gotta point there – not sure how chaos goes in their favor exactly. The Arab Spring has been unpredictable enough.

  5. JCitizen

    If this were the North Koreans – maybe they need information on how to launch a rocket correctly *snicker* ]:)

    1. JimV

      Step back, light fuse, run like the Dear Leader or Great Leader himself was coming after you for screwing up….

Comments are closed.