Computer breaches at the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary have been traced to Chinese hackers.
The attacks, which began in 2010, are continuing, according to a report scheduled to be released yesterday by FireEye, a computer security company in Milpitas, California.
Though researchers do not name the hackers’ targets in the report, the New York Times identified the foreign ministries through e-mail addresses listed on the attackers’ Web page.
A person with knowledge of the investigation, who was not authorized to speak publicly, confirmed that the foreign ministries of the five countries had been breached.
Even as revelations by Edward Snowden about surveillance conducted by the US National Security Agency and its intelligence partners dominate attention, the FireEye report is a reminder that Chinese hackers continue to break into the computer systems of governments and firms using simple, e-mail-based attacks.
The FireEye report does not link the attacks to a specific group in China, but security experts say the list of victims points to a state-affiliated campaign.
“Unlike other groups, which tend to attack commercial targets, this campaign specifically targeted ministries of foreign affairs,” said Nart Villeneuve, the researcher who helped lead FireEye’s efforts.
Last year, Villeneuve, then a researcher at Trend Micro, a security company in Tokyo, traced a series of attacks on firms in Japan and India, as well as Tibetan activists, to a former graduate student at Sichuan University who had joined Tencent, China’s leading Internet company.
Villeneuve said the current hacks are highly selective. Researchers first began tracking the campaign — which they call “Ke3Chang” after a reference buried in the malware code — in 2011. That October, various G20 finance ministers were targeted during a G20 meeting in Paris.
The attackers sent their targets e-mails with a link that claimed to contain naked photos of Carla Bruni-Sarkozy, wife of former French president Nicolas Sarkozy. Once clicked, attackers were able to gain a foothold into their targets’ computer networks, though investigators said they were unable to see which files the attackers had taken.
The closest they came was in August when FireEye’s researchers were able to infiltrate one of the group’s 23 command-and-control servers for one week. They could see that the server had breached 21 targets, including government ministries in the five European countries.
They watched as attackers mapped out victims’ computer networks, searching for users with privileged access who would allow them entry into the computers of high value targets.
That glimpse gave researchers a rare window into the attackers’ techniques and clues to their origin. Their malware contained Chinese character strings and one Web page used to compromise computers was written in Chinese. They also used several machines to test their malware which used the Chinese language as the default setting.
“Beyond the fact they are Chinese, we don’t know who the attackers are or what their motivations might be,” Villeneuve said.
Chinese Ministry of Foreign Affairs officials have said China does not sanction hacking, and is itself a victim of hacking attacks.