Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Researchers unearth more Chinese links to defense contractor attacks

Symantec locates China-based staging server used in 'Sykipot' attacks, traces hacker to Zhejiang province

Researchers with Symantec have uncovered additional clues that point to Chinese hacker involvement in attacks against a large number of Western companies, including major U.S. defense contractors.

The attacks use malicious PDF documents that exploit an Adobe Reader bug patched last month to infect Windows PCs with "Sykipot," a general-purpose backdoor Trojan horse.

According to findings published Thursday by Symantec's research team, a "staging server" used by the attackers is based in the Beijing area, and is hosted by one of the country's largest Internet service providers, or ISPs.

Symantec did not identify the ISP.

The staging server stores new files, many of them malformed PDFs, that are used to infected machines. Symantec found more than 100 malicious files on the server; many had been used in Sykipot campaigns.

Researchers also said that one of the attackers who connected to the staging server did so from Zhejiang province on China's eastern coast. Hangzhou is that province's capital and largest city.

Previously, Symantec had confirmed that the Sykipot attacks had been aimed at people working at major defense contractors , and at a smaller number of individuals employed in the telecommunications, manufacturing, computer hardware and chemical sectors.

Lockheed Martin, whose security team was among those who reported the Reader vulnerability to Adobe, may have been one of the targeted defense contractors.

After digging through the staging server, Symantec found clues that led it to a second system where the same group hosted a tool that automatically modifies files, again including PDFs, as part of its strategy to evade detection by antivirus software.

Like other authors of targeted attacks, the Sykipot gang tags each campaign with an identification number so that it can evaluate each assault's effectiveness. The unique identifiers are hard-coded into the malware, said Symantec.

Duqu, a Trojan aimed at Iran last year, uses a similar tracking tactic that relies on customized malware, as well as a separate command-and-control (C&C) server for each attack.

Adobe began patching the Reader vulnerability exploited by the Sykipot attacks on Dec. 16, and wrapped up the fixes on Jan. 10.

Although Symantec did not come out and name China as the home base of the Sykipot hackers, it came close.

"The attackers are familiar with the Chinese language and are using computer resources in China," the company said. "They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Adobe, Apple, Google, Lockheed Martin, Microsoft, Symantec, Topic
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Cybercrime and Hacking, Malware and Vulnerabilities, security, symantec
Latest Blog Posts
Whitepapers
  • Botnets: The dark side of cloud computing
    Botnets pose a serious threat to your network, your business, your partners and customers. Botnets rival the power of today’s most powerful cloud computing platforms. These “dark” clouds, controlled by cybercriminals, are designed to silently infect your network. Left undetected, botnets borrow your network to serve malicious business interests. This paper details how you can protect against the risk of botnet infection using security gateways that offer comprehensive unified threat management (UTM).
    Learn more »
  • Workshifting: How IT is Changing the Way Business is Done
    While workshifting delivers powerful benefits, from increased productivity and improved cost-efficiency for both business and IT, to improved recruitment and retention, to business continuity and security, it also poses significant challenges for IT. The following discussion examines the forces driving the rapid rise of workshifting, the forms it can take, the IT challenges that must be addressed to enable it, the technologies now available to unlock its full value and the resulting benefits for the business.
    Learn more »
  • Lost USB keys have 66% chance of malware
    Sophos studied 50 USB keys bought at RailCorp's 2011 Lost Property auction in Sydney. The study revealed that two-thirds were infected by malware, and quickly uncovered information about many of the former owners of the devices, their family, friends and colleagues. Disturbingly, none of the owners had used any sort of encryption to secure their files against unauthorised snoopers.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.