Cybersecurity Group FireEye Says Chinese Regime-Linked Hackers Hit Multiple US Targets

Cybersecurity group FireEye said Thursday it found evidence that hackers linked to the Chinese regime exploited a flaw in a Microsoft email application to go after a number of American targets, including a university and local governments.

FireEye analysts wrote in a blog post that the company built “higher-fidelity detections” and launched multiple threat hunting campaigns after Microsoft confirmed earlier this week that a Chinese state-sponsored hacking group known as “Hafnium” had exploited vulnerabilities in Microsoft’s Exchange Server email program.

Using its array of detection methods and tools, FireEye found that “the activity reported by Microsoft aligns with our observations” and said that the Hafnium hackers targeted a range of victims, including “U.S.-based retailers, local governments, a university, and an engineering firm,” as well as a Southeast Asian government and a Central Asian telecom.

FireEye said Hafnium hackers earlier targeted U.S.-based universities, defense contractors, and infectious disease researchers.

The analysts said FireEye is currently tracking the malicious activity in three clusters, but warned that they expect to find additional clusters as they respond to intrusions.

“We recommend following Microsoft’s guidance and patching Exchange Server immediately to mitigate this activity,” the analysts said.

For those looking for potential evidence of compromise, FireEye recommends checking for files written to the system by w3wp.exe or UMWorkerProcess.exe, non-existent resources, and suspicious or spoofed HTTP User-Agents.

“In our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise,” the analysts said.

It comes days after Microsoft said in a blog post that the Chinese regime-linked hacking campaign made use of four previously undetected vulnerabilities in different versions of the Exchange Server software.

Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds,

There was an excellent book I read: “Stealth War: How China Took Over While America’s Elite Slept” by Gen. Robert Spalding (Ret.) who was the JCS specialist on cyberwarfare.

There is a chapter in that book that is both gut-wrenching, yet morbidly fascinating in which a company that developed a “green” product and was bringing it to market, getting ready to make an IPO, suddenly began having problems.

They were screwing up their shipments, some were mis-filled, some were sent to the wrong location, some were simply not sent at all. The guy in charge of distribution was fired and a new person hired, but the problem persisted.

They had financial difficulties to the point they decided to sell the company, and a Chinese firm came in with a specific offer to buy, which upon analysis, they could only conclude had been created and offered by them with specific knowledge of inside information.

They got suspicious and did an audit. Their networks and systems had been hacked by sources in China.

And what the hackers did in quite sophisticated ways was get into their email system and randomly delete requests for quotes and such. Not all of them. Just some of them. And they deleted various targeted communications both inbound and outbound. They also hacked into their order and distribution system, and changed-not all, just a few...randomly, here and there) the types of things ordered, the quantity ordered, or just simply...deleted an order.

Enough to destroy their customer service capabilities and customer base. But they did it in such a random and targeted way, that normal ways of looking at issues didn’t pick it up.

They also got into their financial systems, which is where they got the specific information to build a targeted offer to buy that really tipped them off.

These were not the tactics employed by your run of the mill corporate saboteurs. Government analysts concluded that it was done by the Chinese government, a military branch, or at least one run like a military branch.

All this, and they weren’t even just trying to “steal the patent” or product. They were openly trying to steal the company with the full power, backing, and support of the Chinese government.

Open, unashamed, economic warfare.

“the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise,”

Just Wow, who would have ever thought that a compromise of this sort would use random file names.

so if the intrusion used static file names like Code Red or Nimda it would be a Lo Fidelity attack ?

P.S. btw we are fireye the premier intrusion detection company and once Microsoft gave us the details of the compromise we adjusted our detection so we can maybe find it.
Dont pay lo-fi prices when you can pay more for our tweak Hi-FI

Outlook as a client side product or Exchange? You understand that the vulnerability was in Exchange, not Outlook, right?

When you all who are clinging to your Windows 7 and proclaiming that you’ll never leave it start finding your data strewn to the wind, don’t say you weren’t warned. You have to patch your systems regularly. There are too many bad actors out there who want your data, and in products like Windows with millions of lines of code, of course you’re going to find vulnerabilities at some point.

The bad guys continue to improve, but everyone’s so quick to point fingers at the software developer as the problem when they issue patches to fix their products to prevent security issues. Do you all understand how ridiculous that sounds?

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.