Operation Ke3chang, alleged Chinese hackers target Indian Embassies Worldwide

Pierluigi Paganini May 24, 2016

Security experts from PaloAlto Networks collected evidence that the Operation Ke3chang discovered by FireEye in 2013 is still ongoing.

Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ now threat actors behind the attacks were spotted targeting personnel at Indian embassies across the world.

The researchers speculate the threat actors behind the Operation Ke3chang had been active since at least 2010, and the bad news is that they are still active. The attackers evolved their arsenal over the time, initially, they had been using three different strains of malware codenamed by BS2005, BMW, and MyWeb.

Operation Ke3chang malware

Recently security experts at Palo Alto Networks detected a new piece of malware, dubbed ‘TidePool,’  that seems to be linked to the group’s activity in the ongoing attacks against the Indian embassies.

The hackers launched spear phishing attacks leveraging on an annual report filed by more than 30 Indian embassies as a decoy. The attackers used spoofed email addressed to send out the malicious email.

The phishing attacks relied on email with attached an MHTML document that was specifically crafted to trigger the Microsoft Office vulnerability (CVE-2015-2545) and drop the TidePool malware.

The malware implements RAT features and presents many similarities with the BS2005, but it appears to be its evolution.

“We’ve discovered a new malware family we’ve named TidePool. It has strong behavioral ties to Ke3chang and is being used in an ongoing attack campaign against Indian embassy personnel worldwide.” reads a report published by Palo Alto Networks. “TidePool contains many capabilities common to most RATs. It allows the attacker to read, write and delete files and folders, and run commands over named pipes”

The experts from the Unit 42 noticed that the TidePool and BS2005 malware share 11 similar registry modifications, they implement the same C2 obfuscation and use the same set of library functions.

“These samples are quite similar when looking at the library functions used, but the most notable features they have in common are the timeline of behaviors executed. Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. ” continues the report.

The experts noticed that the binaries included resources, encoding was 0x04 (LANG_CHINESE) indicating the systems used by the attackers are likely running a software with Chinese as the default display language.

India is the country with the largest number of infections, a circumstance that highlights the country is a high priority target for the attackers.

The experts closed the report confirming that the Operation Ke3chang is still ongoing and the malware factory is producing new evolving threats.

“Despite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its malware,” concluded the post.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.


Thank you


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Operation Ke3chang, cyber espionage)

you might also like

leave a comment