Chinese malware targeted US drone secrets, security firm alleges

'Beebus' campaign took big interest in small UAV companies

A series of highly-targeted malware attacks detected a year ago are almost certainly part of a longstanding and determined Chinese campaign to steal industrial secrets from US companies working in the field of UAVs (Unmanned Aerial Vehicles), security firm FireEye has claimed.

The idea that the Chinese state or its helpers might be conducting mass digital raids on US companies is no longer as contentious or extraordinary as it would once have seemed, which is just as well because 'Operation Beebus' (named after a domain used in early attacks) looks like an open and shut case.

The attacks themselves used incredibly basic spear phishing designs in which malicious or 'weaponised' PDFs are mailed to named targets, which on PCs vulnerable to one or more common software flaws were able to prise open Trojan backdoors.

FireEye noticed the attacks on some of its customers in the aerospace and defence last March, logging successive waves of the malicious PDFs turning up at regular intervals since then.

The evidence for Chinese involvement in Beebus was compelling, starting with the not inconsiderable fact that it appeared to reuse or have in common some of the command and control infrastructure connected to an infamous APT (Advanced Persistent Threat) attack on RSA's SecurID token system in 2011, later traced to the country by official sources.

The Beebus attackers also used a TTP (tools, techniques, and procedures) identical to the RSA hack, that of obfuscated/encrypted HTML, labelled by US intelligence as being the handiwork of the Sino 'Byzantine Candour' group, FireEye said

"We have enough evidence that points heavily in that direction" said a FireEye spokesperson of the Chinese connection. "We knew this was being done on behalf of a nation state," he said.

In total the C&C had reached 214 servers with 60 unique IP addresses, a large investment in time and effort.

Despite being unsophisticated, "we [FireEye] believe the attack was largely successful."

All of the targeted firms were in defence and aerospace with an unusual focus on those in the supply chain involved in UAV and other robotic aircraft.

A spreadsheet seen by Techworld noting the nature of the attacks, recorded 261 separate attacks on FireEye customers in 2012, 123 of which were on UAV or UAS (Unmanned Aerial Systems) vendors.

According to FireEye, the attackers used the simplest attack design to get the job done, changing malware and subject lines only as often as they had to. This suggested that the organisation launching the attacks probably saw its work in a commercial rather than political light.

Last week, two US newspapers alleged cyberattacks by Chinese actors on its journalists as part of a campaign to monitor their emails. Meanwhile, similar reports of attacks on larger companies are now routine.

Some in the US are still reluctant to openly blame China but they are gradually retreating into the minority as even prominent figures such as Eric Schmidt of Google raise the issue more openly.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityFireEye

More about APTFireEyeGoogleRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts