Network security company FireEye has reported a coordinated malware attack on five European foreign ministries. The attack took place last August just prior to the G20 Summit in September. It was achieved by sending the ministries email attachments bearing file names pertaining to the primary topic of the summit: military options in Syria. Once downloaded, the files allowed the hackers to monitor communications and steal data from the host machines. FireEye believes the hackers are from China, but it stopped short of alleging collusion with the Chinese government.
FireEye was able to discern the attacks because it had been monitoring the hacker group for “several years,” according to Reuters. In this case the company was monitoring the command-and-control server that carried out the attacks, a tactic the company hasn’t always been able to use in the past. As evidence for the Chinese origin of the hackers, the company cited “the language used” on the command-and-control server and “the machines used” to test the malware code. No further details on that evidence are available at this point. Western network security companies routinely monitor Chinese hacker groups, many of which they believe are operating at the behest of the government.
The report was authored by six FireEye researchers. They released their findings to the five affected nations by way of the FBI. No one has said which countries were affected. The report states that the hacker group dubbed the attacks “moviestar” because the infected computers and the hackers’ command-and-control server communicated with each using that phrase as a tag.
The company was able to monitor the hackers for about a week before they pulled out and moved to an unknown server. That took place just before the G20 Summit began. FireEye believes the hackers were preparing to steal data from the involved foreign ministries at that point.