Advertisement

Hacker 'mercenaries' linked to Japan, South Korea spying: researchers

An employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Labs in Moscow in this July 29, 2013 file photo. REUTERS/Sergei Karpukhin/Files

By Joseph Menn Washington (Reuters) - A small, sophisticated international hacking group was responsible for a widely publicized 2011 spying attack on members of Japan's parliament as well as dozens of previously undisclosed breaches at government agencies and strategic companies in Japan and South Korea, security researchers said. Researchers at Kaspersky Lab believe they have found a squad of hackers for hire, who contract out to governments and possibly businesses, in contrast to recent reports on hacks said to be carried out by full-time government employees. "What we have here is the emergence of small groups of cyber-mercenaries available to perform targeted attacks," said Kaspersky's global research director, Costin Raiu, in an interview with Reuters. "We actually believe they have contracts, and they are interested in fulfilling whatever the contract requirements are," he said. The espionage against members of the Japanese Diet had been blamed by that country's officials on Chinese hackers, according to local media, but few details had been provided. Kaspersky attributed the attack to the new group. He was unable to say if the Chinese government was behind or contributed to the attack. Logs and other records show that the same group also took aim at some of the world's biggest shipbuilders, media companies and defense contractors including Selectron Industrial Co., although Kaspersky did not say which attacks had been successful. Selectron, which supplies U.S.-designed components to defense and industrial customers in Korea, Japan and elsewhere, had no immediate comment. Kaspersky said it was working with some of the companies and with law enforcement in multiple countries. In a report released on Wednesday, Kaspersky said researchers had won access to many of the command computers used in the campaigns and that logs and other material showed a long list of intended victims. They said that comments within the attack programs and the names of some internal files were in simplified Chinese, but that members of the group were also conversant in Japanese and Korean, suggesting a presence in all three countries. Servers were discovered in China, Japan, Hong Kong, Taiwan, Korea and the United States. Hacking teams often suck up enormous amounts of data with little discrimination over long periods, aiming to filter through the trove afterwards, according to reports suspected state-sponsored electronic espionage. But this team acted with great precision, targeting specific documents or log-in credentials and then leaving the victimized network within weeks. The report by Moscow-based Kaspersky follows a September 17 research paper by SymantecCorp that blamed a separate, larger Chinese group for well-known attacks on Google Inc, EMC Corp's RSA division, and Adobe Systems Inc. Kaspersky dubbed the new campaign IceFog, after the name of one of the control servers, and said attacks typically began with emails tailored to a specific person at a victim company. Microsoft Word or other attachments, once opened, allowed direct access to the attackers, who then roamed the network looking for blueprints or other treasure. The multiple security holes that were used were previously known, but the systems had not been patched. There were a few dozen victims who used Windows, Raiu said. A Mac variant of the same malicious software was detected in thousands of infections, but was spread casually on a Chinese-language bulletin board, perhaps as a test. He said there was no evidence that any of the Mac victims had files copied and removed. The hackers have changed their attack software in the past two years, leaving fewer clues to what was done, Kaspersky said. The objectives of the customers appeared to vary. In one case, the detailed budget for a national army was sought, Kaspersky said, declining to name the army. In other cases, product blueprints were sought. Raiu saw no evidence of tampering or destruction, only the removal of sensitive information. (Reporting by Joseph Menn; editing by Peter Henderson and Andrew Hay)