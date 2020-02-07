Image: Azlan Baharudin

Cyberwar and the future of cyber security

Today’s security risks have expanded and become more serious. Millions (or even billions) of dollars can now be at risk if information security is not handled properly.

A Chinese state-sponsored hack group is targeting Malaysian government officials, computer experts said to the Malaysian government on Wednesday.

The purpose of the attacks was to infect government officials’ computers with malware and then steal confidential documents from government networks, said the Computer Emergency Response Team (MyCERT) of Malaysia in a security advisory.

Attack pattern

The attacks on government officials consist of highly targeted e-mails with spear phishing.

MyCERT says that the attackers pose as a journalist, an individual from a trade publication and representatives for a military organization and a non-governmental organization (NGO).

The emails contain links to documents stored on Google Drive. The documents, when opened, asked recipients to enable macros.

The malicious macros used two Office exploits (CVE-2014-6352 and CVE-2017-0199) to execute malicious code on the victim’s system to download and install malware.

“The group’s activities are typically focused on government-sponsored projects and include large amounts of information specific to such projects, including proposals, meetings, financial information, shipping information, plans and drawings, and raw data,” said MyCERT.

MyCERT officials did not say whether government officials were compromised in these attacks.

Indirectly pointing the finger at China

Although MyCERT did not directly accuse the Chinese government, their advice contains links to research by the cyber security community.

The descriptions (1, 2, 3, 4) describe the hacking tools and modus operandi of a cyber espionage group known as APT40, known for its hacking activities that are in line with the interests of the Chinese government.

In an exposé last month, an online group of cyber security analysts who call themselves Intrusion Truth have claimed that APT40 are contractors hired and working under the supervision of the Hainan Department of the Chinese Ministry of State Security.

According to FireEye, in addition to Malaysia, the group also focuses on Cambodia, Belgium, Germany, Hong Kong, Philippines, Norway, Saudi Arabia, Switzerland, the United States and the United Kingdom.

The group is mainly focused on “engineering, transport and the defense industry, especially where these sectors overlap with maritime technologies.”

The APT40 group is also followed by other security companies, but under different names such as TEMP.Periscope, TEMP.Jumper, Leviathan, BRONZE MOHAWK, GADOLINIUM. The group has been active since 2014, according to several reports.