Categories: SecurityWorkspace

China Again Implicated In Persistent Cyber Attacks On Defence Bodies

Persistent cyber attacks targeting the defence and aerospace industries have been spotted, going back as far as April 2011, and China has been implicated.

Security company FireEye spotted the “Beebus” attacks, which used malicious PDFs and .DOC files to infect targets with malware, which subsequently drops a DLL (dynamic link-library), called ntshrui.DLL in the C:\Windows directory. It does so to achieve persistence, FireEye said. Those files were either executed after successful spear phishing or through drive-by downloads.

Cyber attacks incoming

The malware collects information, including the infected machine’s processor type, CPU speed and memory usage. The malware also contains a module to download and execute additional payloads and updates, which could be used to siphon off more important data.

FireEye did not venture to say where the attack came from, but says it derived a link to China based on the technical make-up of the attacks. The command and control infrastructure in the attacks used “bee.businessconsults.net” as a host.

Subdomains of “businessconsults.net” have been used as command and control nodes for the “HUC Packet Transmit Tool”, a TCP proxy tool used by the attackers who breached RSA in early 2012, which some believe China took part in.

Furthermore, those RSA hackers used obfuscated or encrypted HTML comments embedded in websites, in order to indirectly control compromised endpoints, FireEye said. That technique was reportedly used by the “Comment Group” or “Comment Team” hacking collective, believed to be associated with the Chinese government.

China has been in the cyber security press rather a lot recently. It has been linked with attacks on various US media organisations, including the Wall Street Journal and the New York Times, as well as Twitter.

The Wall Street Journal reported this week that Google chairman Eric Schmidt had some strong words to say about China, in a book called The New Digital Age. Along with his co-writer, head of Google Ideas Jared Cohen,  Schmidt said China was “the world’s most active and enthusiastic filterer of information” and “the most sophisticated and prolific” hacker of foreign companies.

The attackers used some nifty tricks to prevent detection and interference. The base64 algorithm used to encrypt pilfered information uses different characters from the standard library, making inspection carried out by men-in-the-middle, or “on the wire” snoopers, less likely.

Intriguing keywords, designed to assist attackers in designating attacks via their command and control infrastructure, were used by the hackers, including the Japanese name Osamu.

“There is no specific pattern to this attack, we have seen days on which multiple weaponised emails were sent to several companies, and on other days we observed that the threat actor sent only one email to a specific target organisation,” FireEye wrote in its blog post.

See below for FireEye’s table on how the cyber attack has been going up and down for months now:

FireEye did not specify which firms were targeted, or where they hailed from.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago