Jump to content

Blog

Shield

Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs

This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded.

Our report provides further proof that cyber espionage is a reality in today’s world. First, attackers appear to have no financial incentive to hit these targets. Instead, the goal appears to be collecting time-sensitive geopolitical information — in this case, insight into the intense international diplomacy surrounding Syria’s ongoing civil war.

FireEye was able to access just one of 23 command-and-control (CnC) servers responsible for managing cyber espionage against a handful of countries. But how many more countries were attacked? How many more CnC servers are a part of this attack campaign? Only the attackers know for sure — but the known scope of their efforts implies that this was only the tip of a much larger iceberg.

Since we began writing this report, this APT has continued its cyber espionage activities. Furthermore, we have recently located an additional cluster of Ke3chang activity.

This new cluster centers on CnC domain names registered by the following email addresses:

  • consulsweden@gmail.com
  • zaharia.cnn@gmail.com

The samples we analyzed are updated variants of the “MyWeb” version of the Ke3chang malware and they contain the string “ungeilivable” (which in Chinese cyber slang means “dull” or “not cool.”) The first sample we analyzed used the domain teleramafr.com, which may be a reference to telerama.fr, a French magazine. This is consistent with another domain registered by the attackers, lemondebe.org, which appears to reference the French newspaper Le Monde. The domains within this cluster are:

  • teleramafr.com
  • belgiquede.com
  • lemondebe.org
  • istafrica2013.org

These domains are linked through the common use of IP and email addresses.

ke3chang1
Figure 1: Ke3chang linkages

We have constructed a timeline of activity for these samples, which indicates that the activity of these attackers continues unabated.

Dropped File MD5 Compile Date Family URI
Tag
CnC Domain
a8d6302b5711699a3229811bdad204ca 2013-05-02 MyWeb www.teleramafr.com
153b035161c8f50e343f143d0f9d327f 2013-05-30 MyWeb nasdaq.teleramafr.com
e8c26a8de33465b184d9a214b32c0af8 2013-10-21 BS2005 shfam9y tiger www.peddy.acmetoy.com
e0abc2e1297b60d2ef92c8c3a0e66f14 2013-10-23 MyWeb site.belgiquede.com
56dd30a460cdd3cf0c5356558550e160 2013-10-23 MyWeb go.teleramafr.com
89495d7f2f79848693f593ea8385c5cd 2013-10-23 MyWeb

This activity overlaps substantially with he Ke3chang infrastructure, as documented in our report.

ke3chang2
Figure 2: Ke3chang infrastructure linkages

ke3chang3
Figure 2: Ke3chang domain linkages

In particular, we found considerable overlap on the IP address 103.246.244.196. Several Ke3chang domain names, such as cascais.epac.to, www.errorreporting.sendsmtp.com, and www.sumba.freetcp.com, have resolved to this same IP address.

We have also received a sample indicating activity by the Ke3chang attackers in 2010, around the time of a G20 meeting concerning the debt crisis in Ireland. In this case, the attackers distributed a malicious PDF file, shown in Figure 4.

ke3chang4
Figure 4: Malicious PDF file used in 2010 attack.

Dropped File MD5 Compile Date Family URI
Tag
C2
5ee81c755aa668fc12a9cbcbab51912f 2010-05-10 MyWeb facebookhello.h1x.com

We also found continuing Ke3chang activity that uses the BS2005 malware. Since finalizing our report, we have located additional samples.

Dropped File MD5 Compile Date Family URI
Tag
C2
e8c26a8de33465b184d9a214b32c0af8 2013-10-21 BS2005 shfam9y tiger www.peddy.acmetoy.com
34252b84bb92e533ab3be2a075ab69ac 2013-11-05 BS2005 p3oahin nice apps.parts-sourcings.com

These developments illustrate that the Ke3chang attackers remain active, are unlikely to cease their activities, and will simply evolve over time.