After the intrustion in German government systems, after the intrusion in UK & USA computer systems, the government of France is next.
Daemon.be has an analysis of a packed Trojan that might be similar to the intrusions discussed here. Again Office documents were used to get inside.
There are no details of which computer systems were affected apart from the website of the ministry of Defense.About five hours ago, Agence France Presse has reported that France is the most recent nation to be targeted by what are probably cyber attacks of Chinese origin. The news came from Mr Francis Delon, secretary general of the Secrétariat général de la défense nationale (SGDN). He notes: Chinese origin, not necessarily indicating involvement of the Chinese military.
It consisted of a Word document, transmitted by e-mail to a small set of users. The files didn't appear malicious, and even Virustotal isn't able to make its mind up. (Daemon.be)
This leaves us with a conundrum. We can detect this file on the gateway, where it's still embedded in obfuscated form in a Word document, and as such we can't even see it, or we can detect it on the desktop, where we run a high risk of killing valuable applications at the same time by enabling high heuristics.
One solution is offered by those anti virus solutions which write detection rules specifically for application level exploits. This is however hard to do, as files may be interpreted in very different ways on specific platform versions. Vendors try (they're doing a pretty good job at Powerpoint files), but the vulnerability exploited above was a known one in Microsoft Office 2003, and has been known for at least a year. (Daemon.be)
Kudos to M. for pointing me to the article. Also have a look at a previous article: Is Anti-virus ineffective nowadays?
Bonus (08/09/2007): It's not really an intrusion but there was a data breach of sensitive military data in Japan. (PCWorld)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
1 comments:
There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)
ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.
Through incidents handling and investigation with law enforcements,
we found some evidences to prove the china hackers (targeted attack/ spearing phishing)
were come from government (military,intelligent dept and public security).
We have inspect the tools, from the begining trojaned e-mail, backdoor, and realy tools in the way stations.
At first, using Microsoft word (*.doc) file with exploit, to drop backdoors or download spyware from other way stations.
And the backdoor connect back to way station, when hacker came from China (fixed IP or ADSL) to remote controlling victims.
What they want is to collect the contact list files (outlook, MSN ...) to build a huge database about relationships for future use,
from the contact list, hackers can send a 'well-make' trojaned mail to the others in the contact list, then victims
will trust the e-mail's subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the lastest
documents in all file types. Even steal your mail account to have a copy of your mail boxes.
From the official document shows, the cyber operation was directly sponsored or supported by General Staff Department Sec. Four. And the evidences shows they:
(1) Organized: have principle, formal check-in/out time,
in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,
then, depends on group, have night team, to hack foreign countries.
(2) the Tools. not common seen in public Internet .
some hacker groups using the same military produced/purchased hacking tools.
(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.
the story is on going everyday!
Post a Comment