The malware distributed in that campaign connected to a CnC server that had the string "g20news" in its host name. Because of this, FireEye believes the campaign's targets may have been related to the meeting between G20 finance ministers held in Paris on Oct. 15, 2011.
In 2012, the same group launched two others spear-phishing attack campaigns, one using a 2012 London Olympics theme and one using a fake threat report from a well-known security vendor, the FireEye researchers said.
The Ke3chang attackers used three backdoor malware programs over the years, dubbed "BS2005" — the latest — "BMW" and "MyWeb," but FireEye believes they stem from a single project created by one developer or a team of developers with access to the same source code.
There's no definitive proof that the Ke3chang group is from China, but some technical evidence points in that direction.
"The linguistic indicators in the malware itself combined with language of the command and control interface and the setting on the virtual machines the attackers used to test the malware before deploying it all indicate a Chinese origin," Nart Villeneuve, senior threat intelligence researcher at FireEye, said Tuesday via email. "However, we do not know their identities or any relationships that the attackers may or may not have with the Chinese government."
Other cyberespionage attacks have been attributed in the past by some security vendors to government-sponsored Chinese hacker groups, but the Chinese government dismissed those claims as false and said that it too is a victim of hacker attacks.
FireEye declined to name the compromised foreign affairs ministries, but Villeneuve said the company worked with law enforcement to notify the victims. However, the company was unable to identify the owners of some of the 21 compromised computers, he said.
The Ke3chang attackers have launched new campaigns since the "moviestar" one, but FireEye doesn't have the same level of visibility into those new attacks, Villeneuve said.
Sign up for CIO Asia eNewsletters.