Is China Involved in Cyber Espionage? Luckycat Trojan Strikes Hard

Once again, China is in the middle of hacking incidents that use malware to acquire sensitive information from various industries in several countries.  Researchers now believe that China is involved in “cyber espionage” or cyber spying.

Symantec’s Luckycat

Symantec, the largest maker of security software for computers, recently published a document regarding “Luckycat”–an operation that attacked Indian and Malaysian military research and south Asian shipping organizations as well as defense, academic, and manufacturing industries.

According to Symantec, the attack begins with a carefully tailored e-mail that makes it hard to ignore and a malicious document is attached to it.  When the attached document is opened or downloaded to a computer, the malware, VBS.Sojax, gets activated.

The VBS.Sojax is a very simple Trojan that connects a command-and-control (CC) server to retrieve commands and upload data.  HTTP is used to easily pass through firewalls.  In even more simple terms, the Trojan is a remote access malware that makes it easy to gather data from the infected computer without people noticing what is happening.  They reported that the attacks started in April 2011 until February 2012.

But Symantec’s findings aren’t complete.  Trend Micro, the Chinese security company, published a more detailed report about the hacking incident.

Trend Micro’s in-depth report

According to Trend Micro’s findings, the Luckycat campaign targeted industries and/or communities from aerospace, energy, engineering, shipping, military research, and Tibetan activists.  The campaign is linked to 90 cyber attacks against Japan, India and Tibetan activists and compromised 233 computers.  The threats were traced back to IP addresses in China.  Trend Micro believes that the attacks started in June 2011 and the threat currently continues.

“This was not an individual attack that started and stopped,” said Nart Villeneuve, a researcher that helped lead Trend Micro’s efforts. “It’s a continuous campaign that has been going on for a long time. There are constant compromises going on all time. These guys are busy and stay busy.”

Know your malware

Trend Micro’s report identified the malware as TROJ_WIMMIE or VBS_WIMMIE, connects to a CC server via HTTP over port 80 but uses Windows Management Instrumentation (WMI) which makes it a persistent SOB.  It works just like how Symantec described it, starting with an intriguing e-mail laced with the Trojan, and when the Trojan is activated, it allows for remote accessing, uploading more malware which allows them to go through the network silently and acquire sensitive information.

Who’s to blame?

Upon Trend Micro’s research, they were able to identify the hacker, he goes by the nicknames “dang0102”, “Gu Kaiyuan”, and “scuhkr”.  The hacker is believed to be connected to published posts in the famous hacker forum, XFocus, recruiting for a research project regarding network attack and defense at the Information Security Institute of the Sichuan University, and authored articles related to backdoors and shellcode in a hacking magazine.

“The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”

According to The New York Times, Gu is now an employee of Tencent, China’s leading internet portal company.

China again?

Last year, China was connected to many cyber attacks happening in different parts of the world.  This didn’t go well with the Chinese government and they stated that what was happening to them was unjust, accusing them of cyber espionage when all the attacks could be coming from the US.  China pointed out that the US government employs hackers to fend off cyber threats but these hackers may be the one doing the attacks and then blames China for it.

If you can still remember, last year, Symantec identified that a Chinese hacker who goes by the name “Nitro” was involved in corporate espionage.  Nitro allegedly stole design documents, formulas, and manufacturing processes from Fortune 100 companies involved in chemical research and development, companies that develop advanced materials for military vehicles, NGOs, and the motor industry as well.

But seriously, if I were a hacker, I wouldn’t leave a trail behind, especially if what I did could potentially lead to a war.

[Image note: The flavor image is not Chinese in origin, it is a Japanese Lucky Cat “Maneki Neko” sculpture.]

In the same vein:

Article source: http://siliconangle.com/blog/2012/04/03/is-china-involved-in-cyber-espionage-lucycat-trojan-strikes-hard/

View full post on National Cyber Security