Network segmentation that restricts intruders' access to data would have helped contain Chinese hackers who breached computers at the foreign ministries of five European countries, an expert says.
The attacks were part of an ongoing campaign that started at least in 2010, security vendor FireEye reported Tuesday. While the company did not name any of the targets, The New York Times said they included the ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary.
FireEye determined that once the hackers penetrated a network, they searched for users with privileged access in order to steal their credentials and use them to obtain high-value information. The vendor gathered attack data from one of 23 command-and control servers used by the attackers.
The campaign, named Ke3chang after a reference found in the malware code, demonstrates that the probability of an attacker breaking into a network is high, Nart Villeneuve, senior threat intelligence researcher at FireEye, said. Therefore, the focus should be on limiting the amount of data available to hackers before they are discovered.
Network segmentation, which is the splitting of a computer network into sub-networks, would have limited the attackers only to the data and users of that small portion of the total network, Villeneuve said.
"Once the attackers were in, they immediately started moving around," he said. "If those chunks of the network were segmented, then it would limit the amount of damage that they could conduct, because the systems they compromised wouldn't have access to other segments of the network."
The attackers, believed to be operating in China, were very selective about their targets, using three types of malware to attack a small number of entities in aerospace, energy, government, high-tech, consulting, and the chemical, manufacturing and mining sectors.
"Although we were able to track their activity back to 2010, the total number of attacks that we were able to uncover was fairly small, which to me indicates these attackers are quite selective of who they want to attack," Villeneuve said.
The most recent attacks occurred in August and September of this year and were aimed at the ministries in the five countries named by the Times, Villeneuve said. The attacks coincided with the Group of 20 summit of government leaders in Russia in September.
To entice potential victims, the hackers sent emails with attachments that allegedly contained documents on possible U.S. military intervention in the Syrian civil war.
The same group had conducted other attacks in 2012 and 2011. The former attack used emails with links to information related to the London Olympics, while the latter offered links to naked photos supposedly of pop star and former first lady of France Carla Bruni-Sarkozy. FireEye was unable to identify the targets of the attacks, but noted that the 2011 campaign coincided with the G20 summit in Paris that year.
Sign up for CIO Asia eNewsletters.