French Government Spear-Phished

PhishingAt least 150 French government computers were breached after hackers used “spear-phishing” techniques to plant malware that monitored the machines for weeks before being discovered, according to media reports.

The attack commenced late last year, allowing the hackers to monitor official mailboxes and servers of the Ministry of Economy, Finances and Industry.  Some of the information accessed during the attacks included documents relating to the G20 economic group, being hosted and chaired this year by France.  They join a long list of sensitive bodies that have been fallen prey over the past few years to attackers who were able to monitor private communications for weeks or months at a time.  Google and more than three dozen other companies were hit by attacks that bore many of the same characteristics.  Additional companies recently outed as victims of the so-called Operation Aurora attacks include Morgan Stanley, Sony, General Electric, Walt Disney, Dupont, and Johnson & Johnson, according to Bloomberg News.  A similar breach was recently reported against the Finance Department and Treasury Board of Canada, who hosted the G20 last year.

Sources say that some of the files were redirected to Chinese sites, but concede that this fact doesn’t really say much. Chinese hackers and the Chinese government have lately been tied to a number of cyber attacks targeting government systems around the world but, as always, there is no incontestable proof of their guilt.  Rerouting attacks is a common ploy to cover an attackers’ tracks.

Emails containing malicious attachments and links were targeted at specific employees at all levels within the French ministry, spoofed to look like they came  from colleagues or associates.  The emails contained malicious attachments that once opened, installed backdoor programs onto the machines.  It is not clear whether the program then spread from PC to PC, or if the spear-phishing campaign sought out email addresses of those initially impacted, but at least 150 of the ministry’s 170,000 computers became infected.  Once the perimeter had been penetrated, the attackers transferred G20 documents to servers located in China.

  • Be careful of the emails that you receive, even if they come from people that you know.  If you are not expecting a specific email with an attachment, treat it with suspicion.  That means, call the person that sent it to you and confirm that they sent it.  It is easy to spoof an email.  It is also posible to take over an email account, so don’t rely on email for double-checking. 
  • Open attachments selectively.  If you do open an attachment, saving it to disk first will often trigger a malware scan from anti-virus software.  It can’t detect everything, but it will find most malicious software.  Use a non-standard viewer rather than the native program.  There are viewers for every common file format.  I use several different ones for viewing PDF files, which have become very popular with malware authors lately for carrying and delivering their payloads.
  • Be especially suspicious of – Parcel Delivery emails, Invoice emails, Your Account emails, emails with a threatening tone, IRS and tax service emails, and unsolicitied contest winner emails.  I hope by now everyone is awre of the Gotta Get Money Out Quick “419 scams”.  No rich ex-king or their heir is going to pick your name out of the phonebook to cut you in on a million dollar deal.