Chinese Military Suspected in Cyberattacks on G20

August 27, 2013 Updated: December 15, 2013

A group of hackers is launching coordinated cyberespionage attacks on the political leaders, finance ministers, and heads of banks attending the G-20 Summit in St. Petersburg, Russia.

The Chinese military is the key suspect in the attacks. The group, dubbed “Calc Team,” “APT-12,” or “Unit 61398,” was traced to the Chinese People’s Liberation Army’s (PLA) cyberwar division in Shanghai. The initial report on “Calc Team” was released by security firm Mandiant in February.

Researchers at security company Rapid7 have analyzed the G-20 attacks and say they match those used elsewhere by the Chinese military hackers.

They traced the attacks through specific attributes of the malware, as well as details about the networks that researchers already identified, said Claudio Guarnieri, security researcher at Rapid7, over email.

“Calc Team” went dormant for several months, amid pressure from international media and government. It re-emerged just two weeks ago with a new wave of cyberattacks against U.S. businesses and government targets. It also has updated versions of tools it uses to launch its attacks.

The hackers are sending attendees infected PDF documents that are copies of legitimate documents from the summit. From the information available, the infected documents were from publicly- available files.

If the PDF documents are opened, they infect the computers with malware, keyloggers, and other tools. Keyloggers will let the hackers save the keystrokes and monitor everything typed into the infected computer, including passwords and other sensitive information.

The form of attacks it’s using is called social engineering and spear phishing. Social engineering is a term that describes various basic ways to trick people into granting a hacker access to a computer. Spear phishing refers to cyberattacks specially tailored malicious email messages that are targeted at a specific person.

“Considering the context and the content of such documents, we can assume that the attackers are seeking after members of European institutions somewhat involved in financial policymaking,” states a Rapid7 blog post analyzing the attacks.

It is likely the hackers used G20 as an opportunity only to gain access to targets. “Government agencies and financial institutions are always a primary target for espionage,” he said. “The attackers probably figured that the G20 theme might have been an effective way in.”

He also noted that the hackers will likely try to maintain access in the long run. After most hackers find a way into a system, “they definitely try to identify and exfiltrate any material that might be of interest.”

Exfiltrate refers illicitly copying then funneling information outside its owner’s location.

Follow Joshua on Twitter: @JoshJPhilipp