The Latest FireEye News
Product and Solution Information, Press Releases, Announcements
|FireEye Uncovers Chinese Cyber Espionage Campaign Targeting European Ministries of Foreign Affairs|
|Posted: Wed Dec 11, 2013 02:05:25 PM|
Five Government Ministries in Five European Union Countries Compromised.
Milpitas, CA - Dec 11, 2013 - FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today announced the release of a new report detailing cyber espionage attacks on European Ministries of Foreign Affairs (MFA). The report, "Operation 'Ke3chang': Targeted Attacks Against Ministries of Foreign Affairs", is available for download here.
The cyber espionage campaign, dubbed "Operation Ke3chang" by FireEye researchers, used the Syrian crisis to falsely advertise updates about the ongoing situation to compromise MFA networks in Europe. FireEye research has discovered that the attackers are likely operating out of China and have been active since at least 2010. However, the Syria-themed attacks against MFAs began only in August 2013. The timing of the attacks precedes a G20 meeting held in Russia that focused on the crisis in Syria.1
"Diplomatic missions, including ministries of foreign affairs, are high-priority targets for today's threat actors," said Darien Kindlund, manager of threat intelligence at FireEye. "Large-scale cyber espionage campaigns have demonstrated that government agencies around the world, including embassies, are vulnerable to targeted cyber attacks."
FireEye gained visibility into one of 23 known command-and-control (CnC) servers operated by the Ke3chang actor for about one week. During this time, FireEye discovered 21 compromised machines connecting to the CnC server. These included what appeared to be three administrative tests by the attackers and two connections from other malware researchers. Among the targets, FireEye identified nine compromises at government ministries in five different European countries. Eight of these compromises were at MFAs.
While FireEye had visibility into the CnC server, researchers saw the attackers engage in post-compromise information gathering and lateral movement on the target network, whereupon FireEye immediately contacted the relevant authorities and began the notification process.
1 G20 Leaders' Summit, St. Petersburg on September 5-6, 2013