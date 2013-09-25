By Joseph Menn
| Washington, Sept 25
Washington, Sept 25 A small, sophisticated
international hacking group was responsible for a widely
publicized 2011 spying attack on members of Japan's parliament
as well as dozens of previously undisclosed breaches at
government agencies and strategic companies in Japan and South
Korea, security researchers said.
Researchers at Kaspersky Lab believe they have found a squad
of hackers for hire, who contract out to governments and
possibly businesses, in contrast to recent reports on hacks said
to be carried out by full-time government employees.
"What we have here is the emergence of small groups of
cyber-mercenaries available to perform targeted attacks," said
Kaspersky's global research director, Costin Raiu, in an
interview with Reuters.
"We actually believe they have contracts, and they are
interested in fulfilling whatever the contract requirements
are," he said.
The espionage against members of the Japanese Diet had been
blamed by that country's officials on Chinese hackers, according
to local media, but few details had been provided. Kaspersky
attributed the attack to the new group. He was unable to say if
the Chinese government was behind or contributed to the attack.
Logs and other records show that the same group also took
aim at some of the world's biggest shipbuilders, media companies
and defense contractors including Selectron Industrial Co.,
although Kaspersky did not say which attacks had been
successful.
Selectron, which supplies U.S.-designed components to
defense and industrial customers in Korea, Japan and elsewhere,
had no immediate comment.
Kaspersky said it was working with some of the companies and
with law enforcement in multiple countries.
In a report released on Wednesday, Kaspersky said
researchers had won access to many of the command computers used
in the campaigns and that logs and other material showed a long
list of intended victims.
They said that comments within the attack programs and the
names of some internal files were in simplified Chinese, but
that members of the group were also conversant in Japanese and
Korean, suggesting a presence in all three countries.
Servers were discovered in China, Japan, Hong Kong, Taiwan,
Korea and the United States.
Hacking teams often suck up enormous amounts of data with
little discrimination over long periods, aiming to filter
through the trove afterwards, according to reports suspected
state-sponsored electronic espionage.
But this team acted with great precision, targeting specific
documents or log-in credentials and then leaving the victimized
network within weeks.
The report by Moscow-based Kaspersky follows a Sept. 17
research paper by SymantecCorp that blamed a separate,
larger Chinese group for well-known attacks on Google Inc, EMC
Corp's RSA division, and Adobe Systems
Inc.
Kaspersky dubbed the new campaign IceFog, after the name of
one of the control servers, and said attacks typically began
with emails tailored to a specific person at a victim company.
Microsoft Word or other attachments, once opened, allowed
direct access to the attackers, who then roamed the network
looking for blueprints or other treasure. The multiple security
holes that were used were previously known, but the systems had
not been patched.
There were a few dozen victims who used Windows, Raiu said.
A Mac variant of the same malicious software was detected in
thousands of infections, but was spread casually on a
Chinese-language bulletin board, perhaps as a test. He said
there was no evidence that any of the Mac victims had files
copied and removed.
The hackers have changed their attack software in the past
two years, leaving fewer clues to what was done, Kaspersky said.
The objectives of the customers appeared to vary. In one
case, the detailed budget for a national army was sought,
Kaspersky said, declining to name the army. In other cases,
product blueprints were sought.
Raiu saw no evidence of tampering or destruction, only the
removal of sensitive information.