San Francisco, Dec. 10: Computer breaches at the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary have been traced to Chinese hackers.
The attacks, which began in 2010, are continuing, according to a report to be released today by FireEye, a computer security company in Milpitas, California.
Though researchers do not name the hackers’ targets in the report, The New York Times identified the foreign ministries through email addresses listed on the attackers’ web page. A person with knowledge of the investigation confirmed that the foreign ministries of the five countries had been breached.
Even as revelations by Edward J. Snowden about surveillance conducted by the National Security Agency and its intelligence partners dominate attention, the FireEye report is a reminder that Chinese hackers continue to break into the computer systems of governments and firms using simple, email-based attacks.
The FireEye report does not link the attacks to a specific group in China, but security experts say the list of victims points to a state-affiliated campaign. “Unlike other groups, which tend to attack commercial targets, this campaign specifically targeted ministries of foreign affairs,” said Nart Villeneuve, the researcher who helped lead FireEye’s efforts.
Last year, Villeneuve, then a researcher at Trend Micro, a security company in Tokyo, traced a series of attacks on firms in Japan and India, as well as Tibetan activists, to a former graduate student at Sichuan University who had joined Tencent, China’s leading Internet company.
Villeneuve said the current hacks were highly selective. Researchers first began tracking the campaign — which they call “Ke3Chang” after a reference buried in the malware code — in 2011.
The attackers sent their targets emails with a link that claimed to contain naked photos of Carla Bruni-Sarkozy, wife of former President Nicolas Sarkozy of France.
Once clicked, attackers were able to gain a foothold into their targets’ computer networks, though investigators said they were unable to see which files the attackers had taken. The closest they came was last August when FireEye’s researchers were able to infiltrate one of the group’s 23 command-and-control servers for one week.