Chinese military hackers have been blamed for a simple phishing attack which allowed them to access the private diplomatic communications of EU officials for years.
In a new report, US security firm Area 1 explained how it discovered back in 2015 a People’s Liberation Army (PLA) Strategic Support Force campaign targeting a wide range of entities, including the United Nations, ministries of foreign affairs and finance, think tanks and trade unions like the AFL-CIO.
“In late November 2018, Area 1 Security discovered that this campaign, via phishing, successfully gained access into the computer network of the Ministry of Foreign Affairs of Cyprus, a communications network used by the European Union to facilitate cooperation on foreign policy matters,” it explained. “This network, known as COREU, operates between the 28 EU countries, the Council of the European Union, the European External Action Service, and the European Commission. It is a crucial instrument in the EU system of foreign policy making.”
Unfortunately, access was as simple as it gets. The hackers stole credentials from network administrators and senior staff, gaining privileged network access, from where they introduced PlugX malware to create a persistent backdoor and establish a path for C&C communications.
Windows console commands were used to move from machine to machine inside the network, eventually allowing the attackers to find the remote file server that stored the diplomatic cables from the COREU network.
Data was then compressed and exfiltrated.
As explained in the New York Times, the diplomatic cables seen by the Chinese allowed them to understand EU thinking on a range of sensitive topics, from relations between it and Beijing to the Trump-Putin meeting, North Korea, and EU official meetings with various world leaders.
The documents are said to have been classified, but only to a fairly low “limited/restricted” level.
The revelations will still be embarrassing to the EU but it’s certainly not alone: 93% of data breaches analyzed by Verizon last year included some form of phishing.
“When the risks are so high, cybersecurity needs to echo this,” argued Jake Moore, cybersecurity expert at ESET UK. “No expense should be spared when the implications can damage a country’s security and reputation.”