China accused of decade-long Asia cyber espionage campaign

A hacking group that appears to be backed by the Chinese state has been stealing information from journalists, dissidents and foreign companies for more than a decade, according to a report by a US cyber security company.

FireEye said the group was distinguished by its ability to evade detection for so long and for its capability of launching technically sophisticated attacks on secure "air gap" networks that are not connected to the internet.

Details of the attack methods were published in a report on Monday, based mainly on analysis of a malware program used by the hacking group to steal information since 2004, according to the FireEye.

The hacker group, which FireEye refers to as APT30, is one of a few dozen it tracks and one of 20 it says are probably controlled by the Chinese state.

Bryce Boland, FireEye's chief technology officer, said he was confident of Chinese state involvement based on the "victimology" of the hackers. Mr Boland said that the group had stolen information "about journalists, dissidents and political developments in relation to China, targeting government and military organisations, and targeting economic sectors of interest to China's economy".

For security reasons, FireEye declined to name the targets or victims of the attacks. The malware used by the group works by infecting targeted computers through "spear phishing" attacks, where an email is sent to a target from a supposedly trusted source.

Based on screenshots of the malware provided by FireEye, the program is named Wang Luo Shen Ying or "Mysterious Eagle" in Chinese, and written to be operated by Chinese-language users. The screenshots also revealed what appeared to be contact details for the developer of the software in the form of an address on QQ, a messaging app popular in China.

However, after being contacted by the FT, the QQ user denied having anything to do with the malware and insisted the contact details must have been stolen. The QQ user declined to answer further questions and immediately signed off.

The malware includes sophisticated tools to infiltrate "air gap" networks - secure networks that are not connected to the internet. This is accomplished by infecting USB drives that may transfer the virus from an infected machine to an air gap computer.

"That shows the sophistication in targeting the more sensitive government networks, and particularly military and non-internet connected networks," said Mr Boland. "The capability to attack air-gapped networks is not unique but it certainly not common."

Mr Boland said the only known case of a successful attack on an air-gap network was a 2007-2008 hack on the US department of defence that originated in Russia.

He said FireEye had no proof that APT30 had successfully attacked an air-gap network. "But given that this group has been operating for nearly a decade and haven't been detected, that indicates that they've had some level of success."

It was curious, he said, that APT30 had not changed its malware since 2004, and that it appeared to work in shifts. "It is an ongoing and almost bureaucratic organisation . . . It's unusual for us to find a group operating for nearly a decade without being detected to the point where they had to change their infrastructure."

Additional reporting by Ma Fangjing

© The Financial Times Limited 2015. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation