Chinese Cyberspies Use Malaysian Flight for Attacks

March 29, 2014 Updated: March 29, 2014

Spies tied to some of China’s largest cyberespionage campaigns are using the disappearance of Malaysian Flight MH 370 to infect computers of governments and think tanks.

Two of the attacks were uncovered by researchers at security company FireEye, who did not immediately respond to requests for interview.

FireEye found the attacks used a modified version of a hacking tool favored in Chinese state-sponsored attacks called Poison Ivy. They also traced the attacks to a group dubbed “Admin@338,” which has been involved in previous Chinese espionage campaigns.

The cyberspies leveraged the Malaysian Flight to gain access. They sent emails to specific targets with an infected file seemingly about the Malaysian flight. If the victim opened the file, it would infect the computer with their espionage tool.

After gaining access, they would be able to monitor the victim’s computer, steal files, or even watch the victim through a webcam.

The group of cyberspies began their attacks on March 10—two days after the Malaysian flight disappeared—and targeted an unnamed foreign government in the Asian Pacific region, according to a FireEye analysis of the campaign.

The individuals sent an email to the target, with an attached file called “Malaysian Airlines MH370.doc.” If the victim opened the file, the cyberspies would then gain access to the computer.

Their next target was “a prominent U.S.-based think tank,” according to FireEye, and the hacking tool was disguised as a Flash video.

In October 2013, Admin@338 was involved in cyberespionage campaigns targeting a U.S. think tank, the Central Bank of an unnamed Western European government, a high-ranking government official in the Far East, and several other targets involved in trade and financial policy.

FireEye noted the 2013 espionage campaign was “apparently focused on gathering data related to international trade, finance, and economic policy.”

The attacks uncovered by FireEye were not the only Chinese attacks that are leveraging the Malaysian flight.

Security company Kaspersky found similar infected files disguised as information on the flight’s disappearance, which it traced back to groups behind some of China’s largest espionage campaigns.

The Chinese groups had been involved in operations to spy on diplomats, military contractors, and government agencies in 40 countries, according to Kaspersky’s ThreatPost blog. The attack was called “NetTraveler.”

Other attacks the groups were connected to include Titan Rain, which was a large series of coordinated attacks against the U.S. government, and GhostNet, which was an international spying campaign that targeted several groups including the Tibetan government-in-exile and the private office of the Dalai Lama.

While the nature of cyberattacks makes them difficult to definitely pin on any specific country, the recent attacks wouldn’t be the first case of Chinese authorities trying to leverage Malaysian Flight MH 370 to further their own interests.

When China sent two warships to help with search efforts, Adm. Yin Zhuo of the People’s Liberation Army navy suggested that China build harbors and ports in the disputed Spratley Islands, in case China needs to help with search operations in the future.

He also used the search to call for the construction of an airfield in the disputed Spratley Islands.

Follow Joshua on Twitter: @JoshJPhilipp