We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Chinese malware targeted US drone secrets, security firm alleges

'Beebus' campaign took big interest in small UAV companies

A series of highly-targeted malware attacks detected a year ago are almost certainly part of a longstanding and determined Chinese campaign to steal industrial secrets from US companies working in the field of UAVs (Unmanned Aerial Vehicles), security firm FireEye has claimed.

The idea that the Chinese state or its helpers might be conducting mass digital raids on US companies is no longer as contentious or extraordinary as it would once have seemed, which is just as well because 'Operation Beebus' (named after a domain used in early attacks) looks like an open and shut case.

The attacks themselves used incredibly basic spear phishing designs in which malicious or 'weaponised' PDFs are mailed to named targets, which on PCs vulnerable to one or more common software flaws were able to prise open Trojan backdoors.

FireEye noticed the attacks on some of its customers in the aerospace and defence last March, logging successive waves of the malicious PDFs turning up at regular intervals since then.

The evidence for Chinese involvement in Beebus was compelling, starting with the not inconsiderable fact that it appeared to reuse or have in common some of the command and control infrastructure connected to an infamous APT (Advanced Persistent Threat) attack on RSA's SecurID token system in 2011, later traced to the country by official sources.

The Beebus attackers also used a TTP (tools, techniques, and procedures) identical to the RSA hack, that of obfuscated/encrypted HTML, labelled by US intelligence as being the handiwork of the Sino 'Byzantine Candour' group, FireEye said

"We have enough evidence that points heavily in that direction" said a FireEye spokesperson of the Chinese connection. "We knew this was being done on behalf of a nation state," he said.

In total the C&C had reached 214 servers with 60 unique IP addresses, a large investment in time and effort.

Despite being unsophisticated, "we [FireEye] believe the attack was largely successful."

All of the targeted firms were in defence and aerospace with an unusual focus on those in the supply chain involved in UAV and other robotic aircraft.

A spreadsheet seen by Techworld noting the nature of the attacks, recorded 261 separate attacks on FireEye customers in 2012, 123 of which were on UAV or UAS (Unmanned Aerial Systems) vendors.

According to FireEye, the attackers used the simplest attack design to get the job done, changing malware and subject lines only as often as they had to. This suggested that the organisation launching the attacks probably saw its work in a commercial rather than political light.

Last week, two US newspapers alleged cyberattacks by Chinese actors on its journalists as part of a campaign to monitor their emails. Meanwhile, similar reports of attacks on larger companies are now routine.

Some in the US are still reluctant to openly blame China but they are gradually retreating into the minority as even prominent figures such as Eric Schmidt of Google raise the issue more openly.


IDG UK Sites

Best Black Friday 2014 tech deals UK: Latest bargains on phones, tablets, laptops and more this...

IDG UK Sites

Tech trends 2015: 3D printing grows up

IDG UK Sites

10 mind-blowing Oculus Rift experiments that reveal VR's practical potential

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & other Black Friday tech offers