Persistent cyber attacks targeting the defence and aerospace industries have been spotted, going back as far as April 2011, and China has been implicated.
Security company FireEye spotted the “Beebus” attacks, which used malicious PDFs and .DOC files to infect targets with malware, which subsequently drops a DLL (dynamic link-library), called ntshrui.DLL in the C:\Windows directory. It does so to achieve persistence, FireEye said. Those files were either executed after successful spear phishing or through drive-by downloads.
FireEye did not venture to say where the attack came from, but says it derived a link to China based on the technical make-up of the attacks. The command and control infrastructure in the attacks used “bee.businessconsults.net” as a host.
Subdomains of “businessconsults.net” have been used as command and control nodes for the “HUC Packet Transmit Tool”, a TCP proxy tool used by the attackers who breached RSA in early 2012, which some believe China took part in.
Furthermore, those RSA hackers used obfuscated or encrypted HTML comments embedded in websites, in order to indirectly control compromised endpoints, FireEye said. That technique was reportedly used by the “Comment Group” or “Comment Team” hacking collective, believed to be associated with the Chinese government.
China has been in the cyber security press rather a lot recently. It has been linked with attacks on various US media organisations, including the Wall Street Journal and the New York Times, as well as Twitter.
The Wall Street Journal reported this week that Google chairman Eric Schmidt had some strong words to say about China, in a book called The New Digital Age. Along with his co-writer, head of Google Ideas Jared Cohen, Schmidt said China was “the world’s most active and enthusiastic filterer of information” and “the most sophisticated and prolific” hacker of foreign companies.
The attackers used some nifty tricks to prevent detection and interference. The base64 algorithm used to encrypt pilfered information uses different characters from the standard library, making inspection carried out by men-in-the-middle, or “on the wire” snoopers, less likely.
Intriguing keywords, designed to assist attackers in designating attacks via their command and control infrastructure, were used by the hackers, including the Japanese name Osamu.
“There is no specific pattern to this attack, we have seen days on which multiple weaponised emails were sent to several companies, and on other days we observed that the threat actor sent only one email to a specific target organisation,” FireEye wrote in its blog post.
See below for FireEye’s table on how the cyber attack has been going up and down for months now:
FireEye did not specify which firms were targeted, or where they hailed from.
Are you a security expert? Try our quiz!
OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…
Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…
After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…
British regulator confirms investigation of Apple and Google's domination of app stores, operating systems, and…
Launch of Samsung's Galaxy S25 Ultra, Galaxy S25+ and Galaxy S25 sees the handsets described…
Microsoft's LinkedIn sued for allegedly using customer data, including private messages, to train AI models…