RSS FeedSecurity
Hackers attacking Western defence firms based in China, says Symantec

Hackers attacking Western defence firms based in China, says Symantec

Skyipot Trojan attacks tracked to servers in Beijing and Zhejiang

By | Computerworld US | Published 12:11,

Symantec researchers have uncovered additional clues that point to Chinese hacker involvement in attacks against a large number of Western companies, including major US defence contractors.

The attacks use malicious PDF documents that exploit an Adobe Reader bug patched last month to infect Windows PCs with "Sykipot", a general purpose backdoor Trojan horse.

Also in this channel
Related Articles

 

Virtualisation, Big Data and BYOD

Check out our Business IT Hub for opinions and briefings. Read more

According to findings by Symantec's research team, a "staging server" used by the attackers is based in the Beijing area, and is hosted by one of the country's largest Internet service providers, or ISPs.

Symantec did not identify the ISP.

The staging server stores new files, many of them malformed PDFs, that are used to infected machines. Symantec found more than 100 malicious files on the server; many had been used in Sykipot campaigns.

Researchers also said that one of the attackers who connected to the staging server did so from Zhejiang province on China's eastern coast. Hangzhou is that province's capital and largest city.

Previously, Symantec had confirmed that the Sykipot attacks had been aimed at people working at major defence contractors, and at a smaller number of individuals employed in the telecommunications, manufacturing, computer hardware and chemical sectors. Lockheed Martin, whose security team was among those who reported the Reader vulnerability to Adobe, may have been one of the targeted companies.

After digging through the staging server, Symantec found clues that led it to a second system where the same group hosted a tool that automatically modifies files, again including PDFs, as part of its strategy to evade detection by antivirus software.

Like other authors of targeted attacks, the Sykipot gang tags each campaign with an identification number so that it can evaluate each assault's effectiveness. The unique identifiers are hard-coded into the malware, said Symantec.

Duqu, a Trojan aimed at Iran last year, uses a similar tracking tactic that relies on customised malware, as well as a separate command-and-control (C&C) server for each attack.

Although Symantec did not come out and name China as the home base of the Sykipot hackers, it came close.

"The attackers are familiar with the Chinese language and are using computer resources in China," the company said. "They are clearly a group of attackers who are constantly modifying their creation to utilise new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future."

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

HP Business Answers

Join the discussion today

The HP Business Answers group is a vibrant community of small and medium sized business owners and employees. HP provides independent and expert advice in fields such as design, branding, taxation, technology, marketing or manufacturing so join today to network with over 6500 like-minded professionals.

Join the HP Business Answers Linkedin Community

Read the most recent discussions

Read more at the HP Business Answers Linkedin Community

ComputerWorldUK Resources

ComputerworldUK
Share
x
Open
* *