FireEye, a US-based network security company, has released the results of its research into a recent campaign carried out by a Chinese cyber threat group, referred to as “[email protected]”, using Advanced Persistent Threat (APT) methods targeting Hong Kong-based media organizations.
In August, the group sent spear phishing emails about newsworthy developments with malicious attachments to Hong Kong-based media organizations, including newspapers, radio, and television outlets.
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information on targeted individuals or groups.
One such email referenced the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. Another email referenced a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.
The Chinese group used a malware called LOWBALL which abuses Dropbox, a legitimate cloud storage service, for command and control purposes. When FireEye researchers alerted Dropbox to the group’s activities, Dropbox promptly blocked the access token used by LOWBALL. In doing so, Dropbox disrupted the group’s command and control capabilities in all observed versions of the malware.
FireEye has observed targeted attacks by multiple Chinese threat groups on journalists at international and domestic media organisations in Asia. These attacks have often focused on Hong Kong-based media, particularly those that publish pro-democracy material. Journalists located in Taiwan, Southeast Asia, and elsewhere in the region have also been targeted.
“Journalists in Asia are routinely subject to these targeted cyber attacks. They are dependent on information from many different sources, which makes them easy to target. The information journalists have and the identity of their sources can be valuable intelligence. Without adequate technological defenses, they make easy victims,” said Bryce Boland, chief technology officer for Asia Pacific at FireEye.
FireEye has tracked [email protected]’s activity since 2013. The group has largely targeted organisations involved in financial, economic, and trade policy. FireEye first observed the group targeting media outlets in April 2015.
The group’s previous activities against financial and policy organisations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.
In April, FireEye released a report on APT30, a Chinese-linked group which waged a decade-long cyber espionage campaign on Southeast Asia and India. APT30 also targeted journalists, but FireEye has not observed any direct links between that group and [email protected]