• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Hacking
  • Chinese Attacks on Defense Contractors, 2 clues are evidence

Chinese Attacks on Defense Contractors, 2 clues are evidence

Pierluigi Paganini January 29, 2012

It’s not first time and the news itself doesn’t rapresent a surprise, once again Chinese hacker groups are involved in cyber intelligence operations against western companies with the intent to steal critical information. Symantec Researchers have proved the involvement of Chinese groups in attacks alerting the international community regarding the target attacked, including major U.S. defense contractors.

Cyber China
The trend is established, most often to obtain information regarding activities of the Government hackers prefer to attack private companies that collaborate with it, commonly referred to as contractors. This targets are often more exposed despite the government ask to the contractors the compliance with specific standards regarding the information management implemented to guarantee the confidentiality and integrity of data stored.  Government of China is accused to systematically attacking the computer networks of the western governments and corporations. Beijing is successfully stealing research and development, software source code, manufacturing know-how and government plans. The shadow of China is behind the famous unauthorized network access events at several U.S. defense contractors, and that they may also be responsible for the RSA SecurID breach as well ot the massive attacks against Japan istitutions. We are facing with a new ‘cold war’, but this time the challenge is to obtain dominance in cyberspace.

Just contractors and relationships with governments in the security chain are considered weak links, as potentially vulnerable interface between very different worlds. Economic crisis, constant cuts to many aspects of manufacturing processes, safety first and foremost, have led to an exposure difficult to manage. Given the increasing number of attacks recorded against these figures it is essential that relationships with contractors are constantly being reviewed and revised by the authorities in order to avoid data breach potentially dangerous. Needless to lock down facilities when you leave the keys in the lock, the keys are represented by their own contractors careless and ignorant to the safety aspects of technological change we are seeing.

Questionable whether the outsourcing of many government activities can be really useful, if in fact often in this way can reduce the direct costs we must take into account the indirect costs related to management of risk of information exposure, that frequently has become real.

After this my personal reflection lets come back to the discovered attacks, the attacks have use malicious PDF documents exploiting an Adobe Reader bug patched last month to infect Windows PCs with trojan “Sykipot”. As described in my previous article Sykipot is a trojan with feature of backdoor already used in other attacks against U.S PKI infrastructures based on smart cards.

The vulnerability involved the application’s Universal 3D file format (U3D) and could allow attackers the ability to remotely take over an infected system, cause system crashes, and conduct denial of service exploits.

The Symantec researchers have discovered one of the main server, the machine that phisically mantains more that 100 malformed PDF, used during the attack is located in Beijing and hosted by one of the country’s largest Internet service providers not yet identified. More in detail Symatec researchers have discovered a real architecture used for the attacks that include also other machines responsible of the modification of the maliciuos PDF documents, activity necessary to avoid the antivirus action on the target.

At least six Chinese ip addresses that are used to proxy or host the C&C servers. The Netbox webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin.  In the analysis have been involved also researchers of the AlienVault security firm that have decleared that the server used in the operations are Windows based and with high probability locaded in China. It’s difficult to gain certainty of this, proxies usage, routing tricks and spoofed IP addresses can be easily coordinated to give the evidence of a fake attack origin. Researchers have also collected the evidences that the hackers who connected to the staging server did so from Zhejiang province on eastern coast.

A specific feature of the Sykipot attacks is an hard-code identifier of the malware used by the creator in each operation to evaluate the effectiveness of the attacks.
Symantec has mantained a cautious position doens’t link the hackers directly with Chinese Government but the clues demonstrate the origin of the attacks.

“Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China,” Symantec stated.

What is iteresting is the ability to exploit a zero day vulerability and also the process used to avoid antivirus actions with continuos modification to the malware, that proves that behind this operations there are skilled group that manage each attack like an ongoing project.

Ironically it is precisely that the company Lockheed Martin that had discovered the vulnerability used was among the victims of the attacks.

In Italy we say: <<Two clues are evidence>>

Pierluigi Paganini

References

http://www.computerworld.com/s/article/9223765/Researchers_unearth_more_Chinese_links_to_defense_contractor_attacks

 


facebook linkedin twitter

Attacks China Contractors Critical infrastructures cyber Cyber Crime cyber weapon defense Espionage Hackers Hacking Intelligence Internet internet service providers Investigation ISP Large scale infiltration malware Trojan

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT