Security tactic might have helped battle foreign ministry hacks

Network segmentation could have helped in beating Chinese intruders who breached machines at various European ministries

Network segmentation that restricts intruders' access to data would have helped contain Chinese hackers who breached computers at the foreign ministries of five European countries, an expert says.

[Suspected China-based hackers 'Comment Crew' rise again]

The attacks were part of an ongoing campaign that started at least in 2010, security vendor FireEye reported Tuesday. While the company did not name any of the targets, The New York Times said they included the ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary.

FireEye determined that once the hackers penetrated a network, they searched for users with privileged access in order to steal their credentials and use them to obtain high-value information. The vendor gathered attack data from one of 23 command-and control servers used by the attackers.

The campaign, named Ke3chang after a reference found in the malware code, demonstrates that the probability of an attacker breaking into a network is high, Nart Villeneuve, senior threat intelligence researcher at FireEye, said. Therefore, the focus should be on limiting the amount of data available to hackers before they are discovered.

Network segmentation, which is the splitting of a computer network into sub-networks, would have limited the attackers only to the data and users of that small portion of the total network, Villeneuve said.

"Once the attackers were in, they immediately started moving around," he said. "If those chunks of the network were segmented, then it would limit the amount of damage that they could conduct, because the systems they compromised wouldn't have access to other segments of the network."

The attackers, believed to be operating in China, were very selective about their targets, using three types of malware to attack a small number of entities in aerospace, energy, government, high-tech, consulting, and the chemical, manufacturing and mining sectors.

"Although we were able to track their activity back to 2010, the total number of attacks that we were able to uncover was fairly small, which to me indicates these attackers are quite selective of who they want to attack," Villeneuve said.

The most recent attacks occurred in August and September of this year and were aimed at the ministries in the five countries named by the Times, Villeneuve said. The attacks coincided with the Group of 20 summit of government leaders in Russia in September.

[Critics say U.S. tech companies could suffer in warning against China-based cloud services]

To entice potential victims, the hackers sent emails with attachments that allegedly contained documents on possible U.S. military intervention in the Syrian civil war.

The same group had conducted other attacks in 2012 and 2011. The former attack used emails with links to information related to the London Olympics, while the latter offered links to naked photos supposedly of pop star and former first lady of France Carla Bruni-Sarkozy. FireEye was unable to identify the targets of the attacks, but noted that the 2011 campaign coincided with the G20 summit in Paris that year.

Once inside a computer network, the attackers searched for users with privileged access in order to use their credentials to obtain high-value information, FireEye said.

Most companies do not know the number of privileged accounts on their networks. A recent survey by CyberArk, which specializes in privileged account security, found that 86 percent of enterprises do not know how many of these accounts exist.

Therefore, companies first need to get a list of the accounts and secure them by making sure that all use is monitored and recorded.

"Privileged user behavior profiling can detect a range of anomalies in the behavior patterns of individual privileged users, such as a user who suddenly accesses credentials at an unusual time of day," John Worrall, chief marketing officer at CyberArk, said in an email.

"This is a strong indicator of malicious activity or severe policy violations, whether it stems from an external hacker taking over a privileged credential, or a malicious insider."

Join the discussion
Be the first to comment on this article. Our Commenting Policies