Security tactics might have helped in foreign ministry hacks

Network segmentation that restricts intruders' access to data would have helped contain Chinese hackers who breached computers at the foreign ministries of five European countries, an expert says.

[Suspected China-based hackers 'Comment Crew' rise again]

The attacks were part of an ongoing campaign that started at least in 2010, security vendor FireEye reported Tuesday. While the company did not name any of the targets, The New York Times said they included the ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary.

FireEye determined that once the hackers penetrated a network, they searched for users with privileged access in order to steal their credentials and use them to obtain high-value information. The vendor gathered attack data from one of 23 command-and control servers used by the attackers.

The campaign, named Ke3chang after a reference found in the malware code, demonstrates that the probability of an attacker breaking into a network is high, Nart Villeneuve, senior threat intelligence researcher at FireEye, said. Therefore, the focus should be on limiting the amount of data available to hackers before they are discovered.

Network segmentation, which is the splitting of a computer network into sub-networks, would have limited the attackers only to the data and users of that small portion of the total network, Villeneuve said.

"Once the attackers were in, they immediately started moving around," he said. "If those chunks of the network were segmented, then it would limit the amount of damage that they could conduct, because the systems they compromised wouldn't have access to other segments of the network."

The attackers, believed to be operating in China, were very selective about their targets, using three types of malware to attack a small number of entities in aerospace, energy, government, high-tech, consulting, and the chemical, manufacturing and mining sectors.

"Although we were able to track their activity back to 2010, the total number of attacks that we were able to uncover was fairly small, which to me indicates these attackers are quite selective of who they want to attack," Villeneuve said.

The most recent attacks occurred in August and September of this year and were aimed at the ministries in the five countries named by the Times, Villeneuve said. The attacks coincided with the Group of 20 summit of government leaders in Russia in September.

[Critics say U.S. tech companies could suffer in warning against China-based cloud services]

To entice potential victims, the hackers sent emails with attachments that allegedly contained documents on possible U.S. military intervention in the Syrian civil war.

The same group had conducted other attacks in 2012 and 2011. The former attack used emails with links to information related to the London Olympics, while the latter offered links to naked photos supposedly of pop star and former first lady of France Carla Bruni-Sarkozy. FireEye was unable to identify the targets of the attacks, but noted that the 2011 campaign coincided with the G20 summit in Paris that year.

Once inside a computer network, the attackers searched for users with privileged access in order to use their credentials to obtain high-value information, FireEye said.

Most companies do not know the number of privileged accounts on their networks. A recent survey by CyberArk, which specializes in privileged account security, found that 86 percent of enterprises do not know how many of these accounts exist.

Therefore, companies first need to get a list of the accounts and secure them by making sure that all use is monitored and recorded.

"Privileged user behavior profiling can detect a range of anomalies in the behavior patterns of individual privileged users, such as a user who suddenly accesses credentials at an unusual time of day," John Worrall, chief marketing officer at CyberArk, said in an email.

"This is a strong indicator of malicious activity or severe policy violations, whether it stems from an external hacker taking over a privileged credential, or a malicious insider."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts