Chinese Cyberspies Use PRISM (and Petraeus) As Bait

Cyberspies have wasted no time exploiting the release of secret document about the National Security Agency’s digital surveillance methods. Just this week, a new spearphishing campaign that tries to lure its victims by sending a malware-laden email that claims to have information on PRISM, the NSA’s famous program that collects information on people’s Internet activities. ...

Wikimedia Commons
Wikimedia Commons
Wikimedia Commons

Cyberspies have wasted no time exploiting the release of secret document about the National Security Agency's digital surveillance methods. Just this week, a new spearphishing campaign that tries to lure its victims by sending a malware-laden email that claims to have information on PRISM, the NSA's famous program that collects information on people's Internet activities.

The best part about this email? It's designed to look like it's from Jill Kelley, the woman who played a role in revealing David Petraeus' affair with Paula Broadwell.

The email itself contains a malicious Microsoft Word document, titled Monitored List 1.doc that attempts to infect victims' machines with malware that matches that used by the Chinese hacker crew known as Red Star APT, according to Brandon Dixon, who first discovered the attack.

Cyberspies have wasted no time exploiting the release of secret document about the National Security Agency’s digital surveillance methods. Just this week, a new spearphishing campaign that tries to lure its victims by sending a malware-laden email that claims to have information on PRISM, the NSA’s famous program that collects information on people’s Internet activities.

The best part about this email? It’s designed to look like it’s from Jill Kelley, the woman who played a role in revealing David Petraeus’ affair with Paula Broadwell.

The email itself contains a malicious Microsoft Word document, titled Monitored List 1.doc that attempts to infect victims’ machines with malware that matches that used by the Chinese hacker crew known as Red Star APT, according to Brandon Dixon, who first discovered the attack.

(Red Star APT is the team that cybersecurity firm Kaspersky Lab revealed as being behind the NetTraveler attacks that we wrote about earlier this month.)

Red Star is believed by Kaspersky to be a state-backed hacking team similar to Unit 61398 of the PLA, better known as APT1, the alleged Chinese-government hacker crew whose exploits were revealed by cybersecurity firm Mandiant in February. APT1 was found by Mandiant to be stealing "hundreds of terabytes of data" from businesses around the world whose secrets the Chinese government had a strong interest in obtaining.

"The industries APT1 targets match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan," reads Mandiant’s report on APT1.

The only known victim of this attack (so far) belongs to the Regional Tibet Youth Conference — an organization the Chinese government likely has a strong interest in keeping tabs on — another fact that makes security researchers like Dixon and the staff at Kaspersky Lab think that the Red Star APT crew are behind the attack. 

The latest email is full of terribly-written English text about the Edward Snowden affair, making it seem like this particular attack was designed by one of the newer recruits to Red Star or whichever organization is behind the attack.

"Omnipotent CIA agent, was a sudden, the CIA wanted his club hunt, Spy Game Hollywood blockbuster this week staged in reality true," reads the email’s first sentence.

Dixon notes that if this is Red Star — he hasn’t yet been able to find the IP address or command and control server behind the email –, they don’t seem too concerned about the fact that everyone knows what they’re up to.

"It’s funny to note that these actors are keeping up with their same techniques and infrastructure [not all of it] despite being 100% outed," he writes in his analysis of the email. "Again, this sort of behavior shows poor operational security or a complete lack of care."

"The NetTraveler attackers have been going strong since the early 2007-2008?s and I doubt they will be stopping anytime soon," he noted.

The publication of Mandiant’s report earlier this year combined with recent news about the NSA’s vast overseas Internet spying operations (though neither of these were necessarily news to anyone paying attention), we might just be entering a new era in cyber conflict, where instead of operating in the shadows, state actors rifle through the world’s secrets in plain view.

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

An illustration shows George Kennan, the father of Cold War containment strategy.
An illustration shows George Kennan, the father of Cold War containment strategy.

Is Cold War Inevitable?

A new biography of George Kennan, the father of containment, raises questions about whether the old Cold War—and the emerging one with China—could have been avoided.

U.S. President Joe Biden speaks on the DISCLOSE Act.
U.S. President Joe Biden speaks on the DISCLOSE Act.

So You Want to Buy an Ambassadorship

The United States is the only Western government that routinely rewards mega-donors with top diplomatic posts.

Chinese President Xi jinping  toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.
Chinese President Xi jinping toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.

Can China Pull Off Its Charm Offensive?

Why Beijing’s foreign-policy reset will—or won’t—work out.

Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.
Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.

Turkey’s Problem Isn’t Sweden. It’s the United States.

Erdogan has focused on Stockholm’s stance toward Kurdish exile groups, but Ankara’s real demand is the end of U.S. support for Kurds in Syria.