FireEye Uncovers Chinese Cyber Espionage Campaign Targeting European Ministries of Foreign Affairs
Five Government Ministries in Five European Union Countries Compromised
FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today announced the release of a new report detailing cyber espionage attacks on European Ministries of Foreign Affairs (MFA). The report, "Operation 'Ke3chang': Targeted Attacks Against Ministries of Foreign Affairs", is available for download here.
The cyber espionage campaign, dubbed “Operation Ke3chang” by FireEye researchers, used the Syrian crisis to falsely advertise updates about the ongoing situation to compromise MFA networks in Europe. FireEye research has discovered that the attackers are likely operating out of China and have been active since at least 2010. However, the Syria-themed attacks against MFAs began only in August 2013. The timing of the attacks precedes a G20 meeting held in Russia that focused on the crisis in Syria.1
“Diplomatic missions, including ministries of foreign affairs, are high-priority targets for today’s threat actors,” said Darien Kindlund, manager of threat intelligence at FireEye. “Large-scale cyber espionage campaigns have demonstrated that government agencies around the world, including embassies, are vulnerable to targeted cyber attacks.”
FireEye gained visibility into one of 23 known command-and-control (CnC) servers operated by the Ke3chang actor for about one week. During this time, FireEye discovered 21 compromised machines connecting to the CnC server. These included what appeared to be three administrative tests by the attackers and two connections from other malware researchers. Among the targets, FireEye identified nine compromises at government ministries in five different European countries. Eight of these compromises were at MFAs.
While FireEye had visibility into the CnC server, researchers saw the attackers engage in post-compromise information gathering and lateral movement on the target network, whereupon FireEye immediately contacted the relevant authorities and began the notification process.
About FireEye, Inc.
FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 1,300 customers across more than 40 countries, including over 100 of the Fortune 500.
1 G20 Leaders' Summit, St. Petersburg on September 5-6, 2013
# # #
© 2013 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.