FireEye Finds Chinese APT Group Attacked Hong Kong Media Outlets

SINGAPORE - Media OutReach - Dec 1, 2015 - FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today released the results of its research into a recent campaign carried out by a Chinese cyber threat group--referred to as "admin@338" --targeting Hong Kong-based media organizations. 

Group lured journalists with decoy documents about newsworthy events and abused Dropbox for communications.

In August, the group sent spear phishing emails about newsworthy developments with malicious attachments to Hong Kong-based media organizations, including newspapers, radio, and television outlets. One email referenced the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. Another email referenced a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests. 

Figure 1: Screenshots of spear phishing emails admin@338 sent to journalists

The group employed malware called LOWBALL which abuses Dropbox, a legitimate cloud storage service, for command and control purposes. When FireEye researchers alerted Dropbox to the group's activities, Dropbox promptly blocked the access token used by LOWBALL. In doing so, Dropbox disrupted the group's command and control capabilities in all observed versions of the malware.

FireEye has observed targeted attacks by multiple Chinese threat groups on journalists at international and domestic media organizations in Asia. These attacks have often focused on Hong Kong-based media, particularly those that publish pro-democracy material. Journalists located in Taiwan, Southeast Asia, and elsewhere in the region have also been targeted.

"Journalists in Asia are routinely subject to these targeted cyber attacks. They are dependent on information from many different sources, which makes them easy to target. The information journalists have and the identity of their sources can be valuable intelligence. Without adequate technological defenses, they make easy victims," said Bryce Boland, chief technology officer for Asia Pacific at FireEye.

FireEye has tracked admin@338's activity since 2013. The group has largely targeted organizations involved in financial, economic, and trade policy. FireEye first observed the group targeting media outlets in April 2015.

The group's previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the Traditional Chinese script commonly used in Hong Kong.

In April, FireEye released a report on APT30, a Chinese-linked group which waged a decade-long cyber espionage campaign on Southeast Asia and India. APT30 also targeted journalists, but FireEye has not observed any direct links between that group and admin@338.

Find additional details in a post from FireEye Threat Intelligence:

About FireEye, Inc.

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 4,000 customers across 67 countries, including 650 of the Forbes Global 2000.

© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark or trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

The owner of will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.Report any Broken Download linkon Blogmytuts Facebook Page. IF YOU WANT TO BORROW MY CONTENT PLEASE CONTACT US..
Share on Google Plus

About Jaime Lacson

A Freelance Computer Tech with knowledge about computer, router and mobile phones, especially in Upgrade and Downgrade OS, Software and Hardware troubleshooting. follow me at Google+
    Blogger Comment
    Facebook Comment