Security firm FireEye has released a new report detailing cyber espionage attacks on European Ministries of Foreign Affairs (MFA) during recent G20 meetings by Chinese Hackers.
According to FireEye's researcher Nart Villeneuve, hackers infiltrated the computer networks of five European foreign ministries by sending emails containing malware files to staff and gained access to their systems to steal credentials and high-value information.
"We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010,"
The cyber espionage campaign named as “Operation Ke3chang” and if the victim will download & open the malware file which disguised itself as files detailing a possible intervention in Syria (US_military_options_in_Syria.pdf.zip), it gets installed on the victim's computer with a backdoor.
"They have also leveraged a Java zero-day vulnerability (CVE-2012-4681), as well as older, reliable exploits for Microsoft Word (CVE-2010-3333) and Adobe PDF Reader (CVE-2010-2883)." report said.
Once a compromised system connects to the CnC server, the Ke3chang attackers follow a predetermined script to gather information about the local computer and the network to which it is connected.
There were almost 23 Command and Control servers used in the Ke3chang campaign, FireEye "gained visibility into one of 23 known command-and-control servers operated by the Ke3chang actor for about a week. During this time, we discovered 21 compromised machines connecting to the CnC server."
"Large-scale cyber espionage campaigns have demonstrated that government agencies around the world, including embassies, are vulnerable to targeted cyber attacks."
Security firm FireEye had been following the hackers behind the Syria-related attack for several years. The complete FireEye report is available on their website, you can read it for detailed information.