Persistent cyber attacks targeting the defence and aerospace industries have been spotted, going back as far as April 2011, and China has been implicated.
Security company FireEye spotted the “Beebus” attacks, which used malicious PDFs and .DOC files to infect targets with malware, which subsequently drops a DLL (dynamic link-library), called ntshrui.DLL in the C:\Windows directory. It does so to achieve persistence, FireEye said. Those files were either executed after successful spear phishing or through drive-by downloads.
FireEye did not venture to say where the attack came from, but says it derived a link to China based on the technical make-up of the attacks. The command and control infrastructure in the attacks used “bee.businessconsults.net” as a host.
Subdomains of “businessconsults.net” have been used as command and control nodes for the “HUC Packet Transmit Tool”, a TCP proxy tool used by the attackers who breached RSA in early 2012, which some believe China took part in.
Furthermore, those RSA hackers used obfuscated or encrypted HTML comments embedded in websites, in order to indirectly control compromised endpoints, FireEye said. That technique was reportedly used by the “Comment Group” or “Comment Team” hacking collective, believed to be associated with the Chinese government.
China has been in the cyber security press rather a lot recently. It has been linked with attacks on various US media organisations, including the Wall Street Journal and the New York Times, as well as Twitter.
The Wall Street Journal reported this week that Google chairman Eric Schmidt had some strong words to say about China, in a book called The New Digital Age. Along with his co-writer, head of Google Ideas Jared Cohen, Schmidt said China was “the world’s most active and enthusiastic filterer of information” and “the most sophisticated and prolific” hacker of foreign companies.
The attackers used some nifty tricks to prevent detection and interference. The base64 algorithm used to encrypt pilfered information uses different characters from the standard library, making inspection carried out by men-in-the-middle, or “on the wire” snoopers, less likely.
Intriguing keywords, designed to assist attackers in designating attacks via their command and control infrastructure, were used by the hackers, including the Japanese name Osamu.
“There is no specific pattern to this attack, we have seen days on which multiple weaponised emails were sent to several companies, and on other days we observed that the threat actor sent only one email to a specific target organisation,” FireEye wrote in its blog post.
See below for FireEye’s table on how the cyber attack has been going up and down for months now:
FireEye did not specify which firms were targeted, or where they hailed from.
Are you a security expert? Try our quiz!
CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…