Chinese Hackers Stole Documents About Syrian Crisis From 5 European Countries Before G-20 Summit

A computer security firm identified an organized cyberattack on five European ministries just before the September G-20 Summit in St. Petersburg, Russia. According to Milpitas, Calif.-based FireEye Inc. (NASDAQ:FEYE), Chinese hackers infiltrated the ministries using an email phishing scheme to steal documents related to the Syrian crisis.

The hackers sent emails to staff members containing files with misleading titles like “US_military_options_in_Syria.” The files contained malware that installed onto the computers after the files were opened.

FireEye tracked the hackers for a week before the G-20 summit kicked off in Russia, but they lost the trail when the hackers moved to a new server. FireEye reported the attacks to the FBI.

FireEye didn’t mention which countries were targeted, but it did state that all five were members of the European Union.

Nart Villeneuve, a FireEye researcher who worked on the project, said that while there is no evidence directly linking the hackers to the Chinese government, there is data from the control server and the malware’s code that suggest that the hackers are from China. The servers used by the hackers frequently used the word “consulate,” leading FireEye to conclude that the attack was politically motivated.

Villeneuve told International Business Times that FireEye discovered the cyberattack while it was collecting information about a hacker group known as “Ke3chang.” While looking at the malware and servers used by Ke3chang, FireEye located this attack, codenamed “moviestar,” and was able to monitor the types of information the hackers acquired from the victims.

Villeneuve said Ke3chang has used three types of malware since 2010, and that the malware is the evolution of a single project from a hacker or team of hackers. Villeneuve said it’s a common malware that “has the ability to upload and download files, run shell commands, and sleep for a configurable amount of time.”

According to Reuters, the Ke3chang hackers ran a cyberattack codenamed “snake” in 2011 that targeted the G20 Finance Ministers meeting in Paris. For that attack, the Ke3chang hackers sent the malware disguised as nude pictures of Carla Bruni, the wife of former President of France, Nicolas Sarkozy.