Hardly a week goes by without news of a cyber espionage attack emanating from China that is focused on extracting sensitive data from corporations and research centers in the United States. But analysis of a recent malware campaign suggests that cyberspies in that region may be just as interested in siphoning secrets from Russian targets.
The Cyrillic text used in the decoy document.
Researchers at Milpitas, Calif. based security firm FireEye say they spotted an email attack of apparent Chinese origin that used Russian language lures to steal data from mostly Russian victims. The email malware campaign embedded a Microsoft Word exploit that displayed a decoy document containing news about a meeting of ASEAN, the Association of Southeast Asian Nations.
According to FireEye’s Alex Lanstein, this campaign had its control infrastructure in Korea and Japan, but clues point to Chinese design and operation. The malicious Word document sample that kicked this off was authored from a Microsoft Windows system that was set to use the language pack “Windows Simplified Chinese (PRC, Singapore). The researchers also say they were able to gain access to the control server used in the attack, which revealed systems logging in from China to check on new victims.
Update, 1:05 p.m. ET: FireEye just published a blog post about this research, which indicates they now believe the likely source of this attack was Korea, not China. The headline to this story has been modified..
The attackers responsible for this campaign apparently did little to obfuscate the “drop site” where the passwords and other data stolen from victim machines was being deposited; FireEye found that the purloined information was sent to a public message board that does not require authentication. Lanstein said the company is still working to decrypt the stolen data, but that a majority of the victim PCs traced back to Internet addresses in Russia, and included the SuperComputer Center of the Russian Academy of Sciences, as well as other Russian research and educational institutions (PDF).
“This case was interesting because it’s offensive cyber stuff that doesn’t seem to include the United States,” Lanstein said. “It’s also interesting because the attackers did not use very sophisticated methods, yet they were able to compromise some high profile targets while hiding in plain sight. It cost them nothing, and it shows that you don’t need to use the latest tools to develop your own espionage network.”