Category Archives: Cyber Attack

The State of Security: The Financial Fallout of a Cyber Attack on a Business

There were 978 million victims of cybercrime last year and these people lost a combined $172 billion, according to Norton. Those numbers alone should be enough to make businesses sit up and take notice. It’s important, too, to stress that it isn’t just the large corporations that suffer at the hands of online criminals. About half of […]… Read More

The post The Financial Fallout of a Cyber Attack on a Business appeared first on The State of Security.

The State of Security

The Financial Fallout of a Cyber Attack on a Business

There were 978 million victims of cybercrime last year and these people lost a combined $172 billion, according to Norton. Those numbers alone should be enough to make businesses sit up and take notice. It’s important, too, to stress that it isn’t just the large corporations that suffer at the hands of online criminals. About half of […]… Read More

The post The Financial Fallout of a Cyber Attack on a Business appeared first on The State of Security.

Why the cyber threat landscape could grow under GDPR

The General Data Protection Regulation (GDPR) is only 3 short months away, with the incoming regulation seeing businesses across Europe and beyond bolster their cyber security in an effort to

The post Why the cyber threat landscape could grow under GDPR appeared first on The Cyber Security Place.

Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash. The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram

PyeongChang 2018 Winter Olympics Opening Ceremony Disrupted by Malware Attack

The Pyeongchang Winter Olympics taking place in South Korea was disrupted over the weekend following a malware attack before and during the opening ceremony on Friday. The cyber attack coincided with 12 hours of downtime on the official website for the Winter Games, the collapse of Wi-Fi in the Pyeongchang Olympic stadium and the failure of televisions and internet at the main press center,

E Hacking News – Latest Hacker News and IT Security News: Advancing Ransomware Attacks and Creation of New Cyber Security Strategies

As ransomware is on the rise, the organisations are focusing too much on the anti-virus softwares rather than proactively forming strategies to deal with cyber-attacks which could pose as an indefinite threat to the users. Nevertheless one of the good advices to deal with this issue is the creation of the air-gaps, as through these it becomes quite easy to store and protect critical data. It even allows the offline storage of data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.

But it usually happens so that organisations more often than not find themselves taking one step forward and then one step back. As traditionally, the ransomware is more focused on backup programs and their associated storage but on the other hand it seems very keen on perpetually targeting the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.

So in order for the organisations to be proactive it is recommended that they should resort to different ways to protecting data that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations and activities.

Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well air locked the source and target data locations are.”

However, to defend against any cyber-attack there needs to be several layers of defence which may or may not consist of a firewall, anti-virus software or backup. The last layer of defence that is to be used by the user though, must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.

A ransomware attack is pretty brutal, warns Longbottom, “It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttles it, or prevents it from accessing any storage system other than ones that are directly connected physically to the system.”

Now coming down to the traditional approach, it is often observed that data centres are in position in close proximity to each other in order to easily tackle the impact of latency, but for the fact they are all too often situated within the same circles of disruption increases the financial, operational and reputational risks associated with downtime.

Therefore there are a few certain tips that could allow the user to successfully migrate data to prevent ransomware attacks:

• The more layers you can add the better.
• User education.
• Update your Back-up regularly - it can be the last layer of defence.
• Have a copy off site – tape or cloud but don’t leave the drawbridge down.
• Planning of your backup process for your recovery requirement.
By following these one could successfully prevent cyber-attacks with ease and precision.

E Hacking News - Latest Hacker News and IT Security News

Russian Scientists Arrested for Using Nuclear Weapon Facility to Mine Bitcoins

Two days ago when infosec bods claimed to have uncovered what's believed to be the first case of a SCADA network (a water utility) infected with cryptocurrency-mining malware, a batch of journalists accused other authors of making fear-mongering headlines, taunting that the next headline could be about cryptocurrency-miner detected in a nuclear plant. It seems that now they have to run a

Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer's components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage. Air-gapped computers are those that are

Business Wire Suffers Week-Long DDoS Attack

Press release network Business Wire has admitted suffering an ongoing Distributed Denial of Service (DDoS) attack lasting a week so far, in a sign of the continued pressure high-profile firms

The post Business Wire Suffers Week-Long DDoS Attack appeared first on The Cyber Security Place.

Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware

Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems. Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting

Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same. Since the company has denied patching the issue, the vulnerability (

A New Cryptomining Botnet Called Smominru Infected Over 500 Thousand Windows Machines

Security researchers from Proofpoint (cybersecurity firm) have discovered that over 500 thousand Windows machines have been infected with Cryptomining malware

The post A New Cryptomining Botnet Called Smominru Infected Over 500 Thousand Windows Machines appeared first on Latest Hacking News.

Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit

2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals. Several cybersecurity firms are reporting of new cryptocurrency mining viruses that are being spread using EternalBlue—the

Improve collaboration to overcome cyber-attack security issues, say transportation security leaders

One of the keys to averting cyber-attacks on critical US transportation infrastructure, such as 2016’s ransomware attack on San Francisco’s transit network, lies in industry-wide collaboration, according to security experts

The post Improve collaboration to overcome cyber-attack security issues, say transportation security leaders appeared first on The Cyber Security Place.

The Superhuman Security Analyst: Are We Expecting Too Much?

If you have a minute, look at the average job description for an enterprise security analyst on any career website. The responsibilities are borderline superhuman, and the qualifications lengthy and

The post The Superhuman Security Analyst: Are We Expecting Too Much? appeared first on The Cyber Security Place.

Someone Stole Almost Half a BILLION Dollars from Japanese Cryptocurrency Exchange

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in Ripples). In 2014, Mt Gox, one of the largest bitcoin exchange at that time, filed for bankruptcy after admitting it had lost $450 million worth of Bitcoins. Apparently, the

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this. Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems. Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group,

Yikes! Three armed men tried to rob a Bitcoin Exchange in Canada

As many non-tech savvy people think that Bitcoin looks like a Gold coin as illustrated in many stock images, perhaps these robbers also planned to rob a cryptocurrency exchange thinking that way. All jokes apart, we saw one such attempt on Tuesday morning, when three men armed with handguns entered the offices of a Canadian Bitcoin exchange in Ottawa, and restrained four of its employees.

High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign

A Twitter campaign purportedly carried out by Turkish hacker group ‘Ayyildiz Tim’ has targeted the accounts of several high-profile individuals to spread political propaganda, according to McAfee.In a blog post

The post High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign appeared first on The Cyber Security Place.

Cybersecurity: What Does the Board Want and Need?

There should be little doubt about the importance of cybersecurity these days, given the amount of attention the topic has garnered. The attack surface is growing as a result of

The post Cybersecurity: What Does the Board Want and Need? appeared first on The Cyber Security Place.

Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs

A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers. Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment. To play Blizzard games online using web browsers, users

Nearly Half of the Norway Population Exposed in HealthCare Data Breach

Cybercriminals have stolen a massive trove of Norway's healthcare data in a recent data breach, which likely impacts more than half of the nation's population. An unknown hacker or group of hackers managed to breach the systems of Health South-East Regional Health Authority (RHF) and reportedly stolen personal info and health records of some 2.9 million Norwegians out of the country's total

5 steps to boost your application security testing ROI

Even in the era of AI hype, spending more does not necessarily means spending wiser.While Gartner forecasts global cybersecurity spending to reach $96.3 billion already this year, Gemalto reports a

The post 5 steps to boost your application security testing ROI appeared first on The Cyber Security Place.

15-Year-Old Schoolboy Posed as CIA Chief to Hack Highly Sensitive Information

Remember "Crackas With Attitude"? A notorious pro-Palestinian hacking group behind a series of embarrassing hacks against United States intelligence officials and leaked the personal details of 20,000 FBI agents, 9,000 Department of Homeland Security officers, and some number of DoJ staffers in 2015. Believe or not, the leader of this hacking group was just 15-years-old when he used "social

Benefits of cloud computing security tools for data storage

As businesses and public sector services become more reliant on technology, the cyber attack surface area increases Society has been transformed by advanced levels of technology, which has and is

The post Benefits of cloud computing security tools for data storage appeared first on The Cyber Security Place.

New Mirai Okiru Botnet targets devices running widely-used ARC Processors

The cybersecurity threat landscape has never been more extensive and is most likely to grow exponentially in 2018. Although the original creators of Mirai DDoS botnet have already been arrested and jailed, the variants of the infamous IoT malware are still in the game due to the availability of its source code on the Internet. Security researchers have spotted a new variant of infamous Mirai

Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers

Although the original creators of the infamous IoT malware Mirai have already been arrested and sent to jail, the variants of the notorious botnet are still in the game due to the availability of its source code on the Internet. Hackers have widely used the infamous IoT malware to quietly amass an army of unsecured internet-of-things devices, including home and office routers, that could be

CISOs are feeling less confident than ever about cyber risk and data security

Chief Information Security Officers are feeling less confident than ever about cyber-risk and data security this year, according to a survey conducted by Ponemon Institute in late 2017.As today’s climate

The post CISOs are feeling less confident than ever about cyber risk and data security appeared first on The Cyber Security Place.

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products. The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20

Two Romanians Charged With Hacking Police CCTV Cameras Before Trump Inauguration

Remember how some cybercriminals shut down most of Washington D.C. police's security cameras for four days ahead of President Donald Trump's inauguration earlier this year? Just a few days after the incident, British authorities arrested two people in the United Kingdom, identified as a British man and a Swedish woman, both 50-year-old, on request of U.S. officials. But now US federal court

Bleichenbacher’s Oracle Attack rediscovered after 19 years

A famous 19 year old vulnerability known as Bleichenbacher’s Oracle attack has been rediscovered in RSA encryption system to give man-in-middle access to encrypted messages. The ROBOT attack’s rediscovery was analysed and researched by Hanno Böck, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT. They have given detailed explanations of this

The post Bleichenbacher’s Oracle Attack rediscovered after 19 years appeared first on Hacker News Bulletin | Find the Latest Hackers News.

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures


People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.



Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages


Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.


Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.


Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.

Double-edged Sword: Australia Economic Partnerships Under Attack from China

During a visit in mid-September, China’s Foreign Minister Wang Yi urged Australia to become “a bridge between east and west.” He was Down Under to discuss progress on the free trade agreement between Australia and China that seems likely by the end of the year. His comment referred to furthering the trade relationship between the two countries, but he might as well have been referring to hackers who hope to use the deepening alliance to steal information.

The Australian Financial Review (AFR) did an in-depth article with FireEye regarding Chinese attacks against Australian businesses, and this blog provides additional context.

Australia has experienced unprecedented trade growth with China over the last decade, which has created a double-edged sword. As Australian businesses partner with Chinese firms, Chinese-based threat actors increasingly launch sophisticated and targeted network attacks to obtain confidential information from Australian businesses. In the U.S. and Europe, Chinese attacks on government and private industry have become a routine in local newspapers.  Australia, it seems, is the next target.

 The Numbers

First, let’s review the state of Australian and Chinese economic interdependence.  Averaging an annual 9.10% GDP growth rate over the last two decades, China’s unparalleled economic expansion has protected Australia from the worst of the global financial crisis effects. Exports to China have increased tenfold, from $8.3b USD in 2001 to $90b USD in 2013[i], with the most prominent commodities being iron ore and natural gas. Much of these resources originate in Australia, which puts China’s government under significant pressure to meet the skyrocketing demand for them. Despite the ever-increasing co-dependence Australia and China share as regional partners, Chinese authorities are likely supporting greater levels of monitoring and intelligence gathering from the Australian economy - often conducted through Chinese State-Owned Enterprises (SOEs) with domestic relationships in Australia.

SOE direct investment into Australia grew to 84% of all foreign investment inflows from China in 2014, primarily directed into the Australian mining and resource sector; demonstrating a further signal for control as China seeks to capture a level of certainty in catering for its future internal growth. We suspect this to be government-commissioned cyber threat actors targeting Australian firms with a specific agenda: to gain advantage and control of assets both in physical infrastructure and intellectual property.


Figure 1. Chinese Direct Investment into Australia by industry

The Impacts

How have these partnerships impacted Australian networks?  Mandiant has observed the strategic operations of Chinese threat actors target companies involved in key economic sectors, including data theft from an Australian firm.  Chinese Advanced Persistent Threats (APTs) are likely interested in compromising Australian mining and natural resources firms, especially after spikes in commodity prices. The upward trend in APT attacks from China is also aimed toward the third parties in the mining and natural resources ecosystems. Mandiant believes a significant increase in China-based APT intrusions focused on law firms that hold confidential mergers and acquisitions information and sensitive intellectual property. It is no coincidence these third-party firms are often found lacking in network protections. The investigation also found that, at the time of compromise, the majority of victim firms were in direct negotiations with Chinese enterprises, highlighting attempts by the Chinese government to gain advantage in targeted areas.

Due to its endemic pollution problems, clean energy has evolved into a critical industry for China. The country has now engaged a plan to develop Strategic Emerging Industries (SEIs) to address this. Australian intellectual property and R&D have become prime data, and has taken a major position in Chinese APT campaigns. Again, it is the third parties like law firms that are coming under attack.

Furthermore, to reduce China’s reliance on Australian iron ore exports, Beijing has initiated a plan to develop an efficient, high-end steel production vertical through strategic acquisitions in Australia and intervening to prevent unfavorable alliances.  For example, the SOE Chinalco bought into Australian mining companies to presumably prevent a merger that would have disadvantaged their interests. Clearly, the confidential business information of Australian export partners to China is becoming increasingly sought after.

Mandiant found that the majority of compromised firms had either current negotiation with Chinese enterprises or previous business engagements with Chinese enterprises. These attacks will persist as trade and investment grows, though they will do so at the cost of confidential Australian business information such as R&D and intellectual property. As large Australian mining and resources firms themselves may partner with the Australian Signals Directorate for security, the focus of the threat actors shifts to associated parties with access to sensitive data, who may not be pursuing partnerships with the Australian Signals Directorate.  This calls for greater awareness and protection against the increasingly determined and advanced attacks launched.

The Bottom Line

Although this blog focuses on acts against large Australian mining and resources sectors, Mandiant has observed these APT actors often focusing their attention on other sectors such as defence, telecommunications, agriculture, political organizations, high technology, transportation, and aerospace, among others. But the broader lesson and message—drawing from U.S. and European experience with Chinese attacks—is that no one is or will be exempt.  For all Australian businesses and governments, it’s time to fortify defences for a new era of cyber security.


[i]"Australian Government Department of Foreign Trade and Affairs.


Operation Saffron Rose

There is evolution and development underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities. The capabilities of threat actors operating from Iran have traditionally been considered limited and have focused on politically motivated website defacement and DDoS attacks.

Our team has published a report that documents the activities of an Iran-based group, known as the Ajax Security Team, which has been targeting both US defense companies as well as those in Iran who are using popular anti-censorship tools to bypass Internet censorship controls in the country.

This group, which has its roots in popular Iranian hacker forums such as Ashiyane and Shabgard, has engaged in website defacements since 2010. However, by 2014, this group had transitioned to malware-based espionage, using a methodology consistent with other advanced persistent threats in this region.

It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort. We have observed this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware. They use malware tools that do not appear to be publicly available. Although we have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used exploit code in web site defacement operations.

The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.

Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations have been somewhat successful. We assess that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.

View a full version of the report on "Operation Saffron Rose".