A series of highly-targeted malware attacks detected a year ago are almost certainly part of a longstanding and determined Chinese campaign to steal industrial secrets from US companies working in the field of UAVs (Unmanned Aerial Vehicles), security firm FireEye has claimed.
The idea that the Chinese state or its helpers might be conducting mass digital raids on US companies is no longer as contentious or extraordinary as it would once have seemed, which is just as well because ‘Operation Beebus’ (named after a domain used in early attacks) looks like an open and shut case.
The attacks themselves used incredibly basic spear phishing designs in which malicious or ‘weaponised’ PDFs were mailed to named targets, which on PCs vulnerable to one or more common software flaws were able to prise open Trojan backdoors.
FireEye noticed the attacks on some of its customers in the aerospace and defence last March, logging successive waves of the malicious PDFs turning up at regular intervals since then.
The evidence for Chinese involvement in Beebus was compelling, starting with the not inconsiderable fact that it appeared to reuse or have in common some of the command and control infrastructure (C&C) connected to an infamous APT (Advanced Persistent Threat) attack on RSA’s SecurID token system in 2011, later traced to the country by official sources.
The Beebus attackers also used a TTP (tools, techniques, and procedures) identical to the RSA hack, that of obfuscated/encrypted HTML, labelled by US intelligence as being the handiwork of the Sino ‘Byzantine Candour’ group, FireEye said
“We have enough evidence that points heavily in that direction” said FireEye senior staff scientist, Darien Kindlund on the Chinese connection. “We knew this was being done on behalf of a nation state,” he said.
In total the C&C had reached 214 servers with 60 unique IP addresses, a large investment in time and effort.
Despite being unsophisticated, “we believe the attack was largely successful.”
All of the targeted firms were in defence and aerospace with an unusual focus on those in the supply chain involved in UAV and other robotic aircraft.
A spreadsheet seen by Techworld noting the nature of the attacks, recorded 261 separate attacks on FireEye customers in 2012, 123 of which were on UAV or UAS (Unmanned Aerial Systems) vendors.
According to the company, the attackers used the simplest attack design to get the job done, changing malware and subject lines only as often as they had to. This suggested that the organisation launching the attacks probably saw its work in a commercial rather than political light.
Last week, two US newspapers alleged cyberattacks by Chinese actors on its journalists as part of a campaign to monitor emails. Meanwhile, reports of similar targeted attacks on large US companies have become routine.
Some in the US are still reluctant to openly blame China but they are gradually retreating into the minority as even prominent figures such as Eric Schmidt of Google raise the issue more openly.