Evidence of Chinese Attacks on US Defense Contractors

Monday, January 30, 2012

Plagiarist Paganini


(Translated from the original Italian)

It's not first time - and the news itself doesn't represent a surprise - but once again Chinese hacker groups are involved in cyber intelligence operations against western companies with the intent to steal critical information. 

Symantec researchers have proved the involvement of Chinese groups in attacks, alerting the international community regarding the target attacked, including major U.S. defense contractors.

The trend the hackers established is most often to obtain information regarding government activities and they prefer to attack private companies that collaborate with it, commonly referred to as contractors.

The targets are often more exposed despite the government asking to the contractors for compliance with specific standards regarding information management implemented to guarantee the confidentiality and integrity of data stored.

The government of China is accused of systematically attacking the computer networks of western governments and corporations. Beijing is successfully stealing sensitive research and development, software source code, manufacturing know-how and government plans.

The shadow of China is behind the famous unauthorized network access events at several U.S. defense contractors, and they may also be responsible for the RSA SecurID breach, as well as the massive attacks against Japanese institutions. We are facing with a new 'cold war', but this time the challenge is to obtain dominance in cyberspace.

Contractors with relationships to government in the security supply chain are considered weak links, with a potentially vulnerable interface between very different worlds. Economic crisis, constant budget cuts to many aspects of manufacturing processes where safety should come first and foremost, have led to an exposure that is difficult to manage. 

Given the increasing number of attacks recorded against these sectors, it is essential that relationships with contractors constantly be reviewed and revised by the authorities in order to avoid potentially dangerous data breaches.

It is difficult to lock down facilities when you leave the keys in the lock - the keys representing contractor careless and ignorance to security aspects of technological change we are experiencing.

It is questionable whether the outsourcing of many government activities can be really useful to reduce the direct costs if we must also take into account the indirect costs related to management of risk in information exposure.

This brings us back to the recently discovered attacks which used malicious PDF documents exploiting an Adobe Reader bug (patched last month) that was used to infect Windows PCs with a trojan called "Sykipot". 

As described in my previous article, Sykipot is a trojan with backdoor features that was already used in other attacks against US PKI infrastructure based on smart cards.

The latest vulnerability involved the application's Universal 3D file format (U3D) and could allow attackers the ability to remotely take over an infected network, causing system crashes and conducting denial of service exploits.

The Symantec researchers discovered one of the main servers, a machine that physically maintains more that 100 malformed PDFs used during the attack, is located in Beijing and hosted by one of the country's largest Internet service providers. 

More in detail, Symatec researchers have discovered the real architecture used for the attacks that also includes other machines responsible for the modification of the malicious PDF documents, activities necessary to avoid the antivirus action on the target.

At least six Chinese IP addresses were used to proxy or host the command and control (C&C) servers. The Netbox webserver used in the C&C servers is mainly used by those who speak Chinese. In fact, all the documentation to setup and learn the framework is only available in Mandarin.

Analysis has also been provided by researchers at AlienVault security firm which declared that the server used in the operations is Windows based with a high probability of being located in China. It's difficult to gain certainty of this - proxy usage, routing tricks, and spoofed IP addresses can be easily coordinated to give evidence of a false attack origin.

Researchers have also collected evidence that the hackers who connected to the staging server did so from Zhejiang province on eastern coast of China.

A specific feature of the Sykipot attacks is a hard-code identifier of the malware used by the creator in each operation to evaluate the effectiveness of the attacks. Symantec has maintained a cautious position doesn't link the hackers directly with the Chinese Government, but the clues do demonstrate the origin of the attacks are Chinese.

"Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China," Symantec stated.

What is interesting is the ability to exploit a zero day vulnerability and also the process used to avoid antivirus actions with continuous modification to the malware, that proves that behind the operation there are a skilled group that manages each attack like an ongoing project.

The defense contractor company Lockheed Martin had discovered the vulnerability used and was among the victims of the attacks.

In Italy we say: <>


Cross-posted from Security Affairs

Possibly Related Articles:
China malware Defense Government Symantec PDF hackers AlienVault trojan Sykipot Pierluigi Paganini
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.