September 21, 2012
In the latest string of cyberespionage attacks, Chinese hackers are targeting international energy, defense and critical infrastructure firms, according to reports.
Cyberespionage refers to the act of stealing secrets from organizations by spreading malicious software on employee computers. According to CNet, a Philippine oil company, a Taiwanese military organization and a Canadian energy firm - among other businesses in Brazil, Israel, Egypt and Nigeria - are the recent victims of an espionage campaign, discovered by researchers at Dell SecureWorks' Counter Threat Unit.
How computers become infectedHackers are sending spear-phishing emails to mid-level and senior-level executives at these firms with a "dropper" disguised as a PDF document, which then releases a trojan when downloaded, the source reported. An example of a sent email shows a video of a news story called "Yemeni Women can participate in politics just like men, says President Saleh," which started playing after the malware downloaded.
According to Silas Cutler, the researcher at Dell SecureWorks' Counter Threat Unit, the malware, known as "Mirage," leaves a backdoor open on the computer, through which a hacker can send instructions. To disappear from detection, the trojan disguises itself to look like a Google search using Secure Socket Layers (SSL).
To pinpoint the locations of targeted computers, researchers used expired domains of some of the released malware and set up a "sinkhole" that collected information from infected machines. Through this process, researchers were able to detect 80 unique IP addresses that harmed about 120 computers, CNet reported.
Who's behind the assaults?
Dell SecureWorks traced some of the IP addresses and found many located in a Beijing network, notifying the company that the hackers are based in China, Help Net Security reported. To reaffirm this prediction, Dell found that the Honker Union of China, a hacker group, was responsible for creating the proxy software.
This is the second report of a cyberespionage campaign that Dell SecureWorks found this past year, according to Computer Weekly. Several petroleum companies in Vietnam, government ministries, an embassy and a nuclear safety agency were targeted by a malware called Sin Digoo. According to the source, experts believe that the same hacker group behind Sin Digoo is also behind Mirage. If not, then the two groups are at least working together.
To prevent the release of this dangerous malware, IT departments are urged to review their current cyber security defenses and input more layers of protection, if necessary. Anti-hacking and anti-virus software should also be installed, along with passwords and encryption as forms of data loss prevention.
-McAfee Cloud Security