According to a report from researchers at US security outfit FireEye, a number of computers belonging to diplomats attending the G20 summit in Russia three months ago, including at least five European foreign ministries, were successfully targeted by Chinese hackers.

FireEye researchers had monitored a server, one of 23, used by the Ke3chang group in August. This enabled them to observe the malware in action, although FireEye says no data was stolen as far as they were aware during this period of observation. Naturally the security firm contacted the relevant authorities as soon as it realised what was underway. The circumstantial evidence collected at the time leads FireEye to believe that Chinese hackers were carrying out the attacks, although it admits it could also have been 'other actors' making it look like the Chinese were to blame. In the murky world of international espionage, such things are never usually clear cut. If it were a matter of misdirection, then it would appear to be a cleverly crafted one with Chinese words on the CnC control panels, servers registered in China and linguistic clues within the malware binaries pointing towards a Chinese coder.

The attack, nicknamed Ke3Chang by the researchers, used fairly standard social engineering infection methods such as emails with attachments leading to malware installation once opened. These attachment were well targeted, apparently, with some purporting to be documents revealing a plan by the US to intervene in the Syrian crisis whilst others claimed to be photos of Carla Bruni (glamorous wife of former French President Nicolas Sarkozy) naked. That such methods should work in what you might expect to be a rather tightly secured arena, and I would certainly expect government networks at this level to be just that, is something of a wake up call for everyone. Not least as it suggests that further down the security food-chain, and that means ordinary businesses like yours and mine, the risk of intrusion through such primitive means is likely even greater.

Especially when you also understand that the attack targeted those users with privileged access in order to gain entry to the diplomatic systems. Matt Middleton-Leal, regional director, UK & Ireland at CyberArk says "the alleged methods used by cyber spies in infiltrating the computer systems of European diplomats is a classic example of the tactics in use by today’s cyber criminals. Social engineering has been a key tool for hackers looking to breach a network, whether using spoof emails – as in this case – or even by creating fake websites to take advantage of simple human curiosity. Once inside a target system, criminals almost always seek out the privileged accounts and credentials that exist within, as these provide the most powerful and far-reaching access, allowing attackers to cause the most damage."

So what should the average business take away from all this? Simple: the most effective place to begin when securing corporate networks is from within. Privileged accounts and credentials are not only vulnerable to abuse or accidental misuse by employees, but are also a highly sought after target of external attackers, as seen in almost all data breaches in recent years. “With the stakes higher than ever, it is essential that organisations are fully aware of their privileged account security problem, whether in corporate networks or Government organisations" Middleton-Leal warns, concluding "furthermore, all privileged user access and activity should be monitored and controlled, with a system in place to flag any suspicious behaviour, allowing incident response teams to intervene in real-time and before any damage is done."

Edited by happygeek: unstuck

Votes + Comments
Thanks for this article, I'm going to spread it around the company I work for so some people can know about this in case it happens to us.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.