Chinese accused of hacking European ministries' computers ahead of G20

US computer security firm says five nations were monitored through e-mails before a key meeting to mull action on the Syria crisis

PUBLISHED : Tuesday, 10 December, 2013, 9:45pm
UPDATED : Tuesday, 10 December, 2013, 9:45pm

Chinese hackers eavesdropped on the computers of five European foreign ministries before last September's G20 summit, which was dominated by the Syrian crisis, according to research by computer security firm FireEye.

The hackers infiltrated the ministries' computer networks by sending e-mails to staff containing tainted files with titles such as "US_military_options_in_Syria", said FireEye, which sells virus-fighting technology. When recipients opened the documents, they loaded malicious code on to their personal computers.

The theme of the attacks was US military intervention in Syria

For about a week in late August, California-based FireEye said its researchers were able to monitor the "inner workings" of the main computer server used by the hackers to conduct their reconnaissance and move across compromised systems.

FireEye lost access to the hackers after they moved to another server shortly before the G20 event in St Petersburg, Russia. FireEye said it believed the hackers were preparing to start stealing data just as the researchers lost access.

The United States company declined to identify the nations whose ministries were hacked, although it said they were all members of the European Union. FireEye said it reported the attacks to the victims through the US FBI.

A spokeswoman for the FBI, Jenny Shearer, declined to comment.

"The theme of the attacks was US military intervention in Syria," said FireEye researcher Nart Villeneuve, one of six researchers who prepared the report. "That seems to indicate something more than intellectual property theft ...The intent was to target those involved with the G20."

The September G20 summit was dominated by discussion of the Syrian crisis, with some European leaders putting pressure on President Barack Obama to delay taking military action against Syrian President Bashar al-Assad.

Villeneuve said he was confident that the hackers were from China based on a variety of technical evidence, including the language used on their control server, and the machines they had used to test their malicious code.

Villeneuve said he did not have evidence, however, that linked the hackers to the Beijing government. "All we have is technical data. There is no way to determine that from technical data," he said.

Officials at the Chinese embassy in Washington could not immediately be reached for comment.

Western security firms monitor several dozen hacking groups operating in China, most of which they suspect of having ties to the government. The firms also suspect the hacking groups of stealing intellectual property for commercial gain.

China has long denied those allegations, saying it was the victim of spying by the US. Those claims gained some credibility after former National Security Agency contractor Edward Snowden began leaking documents about US surveillance of foreign countries, including China.

FireEye said it had been following the hackers behind the Syria-related attack for several years, but this was the first time the group's activities had been publicly documented.

The company calls the group "Ke3chang", after the name of one of the files it uses in one of its pieces of malicious software.

FireEye said it believed the hackers dubbed the Syria-related campaign "moviestar" because that phrase was a tag on communications between infected computers and the hackers' command-and-control server.