Red Star: Another advanced hacking crew from China is revealed
In the spirit of last February’s report by Mandiant detailing the exploits of a Chinese-government-linked hacker group, Russian IT security giant Kaspersky Lab today released a report on another sophisticated Chinese cyber-espionage outfit, dubbed the Red Star APT (Advanced Persistent Threat) by the lab. According to the lab, this advanced hacker group of about 50 people ...
In the spirit of last February's report by Mandiant detailing the exploits of a Chinese-government-linked hacker group, Russian IT security giant Kaspersky Lab today released a report on another sophisticated Chinese cyber-espionage outfit, dubbed the Red Star APT (Advanced Persistent Threat) by the lab.
In the spirit of last February’s report by Mandiant detailing the exploits of a Chinese-government-linked hacker group, Russian IT security giant Kaspersky Lab today released a report on another sophisticated Chinese cyber-espionage outfit, dubbed the Red Star APT (Advanced Persistent Threat) by the lab.
According to the lab, this advanced hacker group of about 50 people has been active since at least 2005, possibly 2004, and has invaded the networks of more than 350 “high profile” victims ranging from Tibetan and Uyghur freedom activists to government agencies, embassies, universities, defense contractors, and oil companies in 40 countries using “covert surveillance” and espionage software called NetTraveler. (The name sounds so innocent, doesn’t it?)
Specifically, NetTraveler is delivered via a malicious Microsoft Office file inside a spearphishing email. Once installed on a machine, it steals sensitive data from victims’ machines, records victims’ keystrokes, and “retrieves” Microsoft Office files or PDF documents, according to Kaspersky. The malware is often used in conjunction with other cyberspy tools.
One of the best details about NetTraveler that Kaspersky listed in its report is the fact that it takes advantage of an old flaw in Microsoft Office, one the Seattle-based company issued a patch for a while ago. Nevertheless, poor network hygiene allowed the malware into victims’ networks.
“It is therefore surprising to observe that such unsophisticated attacks can still be successful with high-profile targets,” notes the lab’s report on Red Star, pointing out that, by not updating their software, the victims basically did some of the attackers’ work for them — they left the digital gate unlocked. Six of the victims were even infected by the Red October malware we told you about last fall.
“It’s kind of shocking that government institutions, diplomatic institutions that have been warned they were infected, they don’t do anything about it,” said Costin Raiu, director of the lab’s global research and analysis team, today during a cybersecurity forum in Washington that his company sponsored.
So, just what does the Red Star crew appear to be looking for? Sixty percent of its targets are government embassies, militaries, and other government agencies. The rest are predominantly research institutions, manufacturing firms, and aerospace businesses. The victims are also predominantly located in Asia, with Mongolia topping that list as the host of 29 percent of victims, followed by Russia (19 percent) India (11 percent), Kazakhstan (11 percent) and Kyrgyzstan (5 percent).
Among the information the Red Star gang is looking to steal is data on nanotechnology, lasers, aerospace technology, drilling gear, radio wave weapons, nuclear power, and communications tech, according to the lab.
Red Star recruits young hackers without a lot of technical expertise “who simply follow instructions” on how to develop and release NetTraveler on a set of targets they are given, Raiu said today. “They get a toolbox, they get instructions, they get the Trojans [malware] and they get a target — 20, 25, up to 30 different targets they need to attack. Just one single successfully completed project can actually pay their monthly expenses.”
The lab doesn’t come out and say that Red Star APT is affiliated with the Chinese government, only going so far as to say it is a “medium-sized threat actor group from China.” However, a number of factors suggest it might be. NetTraveler was developed by someone with native Chinese language skills, and IP addresses traced by Kaspersky are in China. What’s more, the victims are either businesses in sectors that China wants to excel in, political groups the Chinese government wants to keep tabs on, or government organizations. That being said, Red Star could just be “a non-government hacker group who steals IP and sells to whoever is buying,” Jeffrey Carr, CEO of cybersecurity firm TAIA Global noted on Twitter last night.
John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.
More from Foreign Policy
A New Multilateralism
How the United States can rejuvenate the global institutions it created.
America Prepares for a Pacific War With China It Doesn’t Want
Embedded with U.S. forces in the Pacific, I saw the dilemmas of deterrence firsthand.
The Endless Frustration of Chinese Diplomacy
Beijing’s representatives are always scared they could be the next to vanish.
The End of America’s Middle East
The region’s four major countries have all forfeited Washington’s trust.