Chinese hackers tap into EU diplomatic communications network

The critical COREU network in the bloc has been reportedly compromised by a state-sponsored Chinese hacking group, leading to the theft of internal cables.

New malware tied to Kremlin-linked hacking group A new phishing campaign from a Russian-state backed hacking group targets American and European inboxes.

The Chinese government has been covertly monitoring communication between European government organizations and think tanks potentially for years, researchers claim.

In a report released Wednesday (.PDF), researchers from Area 1 Security said that the ongoing campaign has "gained access into the diplomatic correspondence network of the European Union."

Unusual behavior was first spotted in April 2015. The firm suspected a cyberattack was taking place against Intergovernmental Organizations, Ministries of Foreign Affairs and Ministries of Finance, as well as trade unions and think tanks.

After tracking the suspected campaign for some time, in November this year, Area 1 uncovered the successful infiltration of the Ministry of Foreign Affairs of Cyprus and therefore the COREU network, a key system which provides the backbone of communications between all 28 EU countries.

The communications platform is also utilized by the Council of the European Union, the European External Action Service, and the European Commission.

Area 1 Security has attributed the infiltration to the Chinese government; specifically the Strategic Support Force (SSF) of the People's Liberation Army (PLA).

An online cybersecurity team was established by the PLA in 2011, but it was not until 2015 before China explicitly admitted to the unit's existence.

An assessment of Chinese military capabilities conducted by the US Department of Defense (DoD) suggested that the country "saw cyber operations as a low-cost deterrent that can demonstrate capabilities and challenge an adversary."

Deterrent it may be, but China has been accused of being behind a range of cyber assaults for years. The US has charged a number of hackers for allegedly belonging to the PLA and conducting cyberattacks of political interest on the unit's behalf.

Despite an agreement forged between the US and China in 2015, US government officials warned this year that Chinese hacking activity has increased. Chinese officials have always denied such allegations.

See also: Remove yourself from the internet and erase your online presence

The researchers say that the threat actors responsible were able to compromise the network via a successful phishing campaign. However, the team also claims that the attack is part of a larger scheme which has also targeted the United Nations and the American Federation of Labor and Congress of Industrial Organization (AFL-CIO).

In total, roughly 100 organizations are believed to have been targeted by the PLA through this campaign.

Initial access was gained after phishing attempts successfully obtained credentials belonging to network administrators and senior members of staff. This stolen data was then used to implant malware on the network designed to create a backdoor and establish a path with a command-and-control (C2) network for data exfiltration.

TechRepublic: 5 biggest security vulnerabilities of 2018

In one case of infection, the Remote Access Trojan (RAT) PlugX was used. This malware is able to log keystrokes, screen capture, create and delete registry entries, process control, start services, and launch remote shells.

A number of the diplomatic cables stolen have since been leaked and published. The ongoing trade war between the US and China have been mentioned; with US President Trump being deemed a "bully" and the Chinese president, Xi Jinping, quoted as saying that the country would not submit, "even if a trade war hurt everybody."

The EU's secretariat said in response to the leak that the EU was "aware of allegations regarding a potential leak of sensitive information" and the issue is being investigated.

CNET: Russian influencers thrived on Instagram after pressure on Facebook, Twitter

"Because the cybersecurity doom narrative has become so embellished, we've lost our nerve to take action to prevent future damages," Area 1 Security says. "Around the world cyber campaigns are evolving to be an essential tool for waging war, disrupting trade, stealing property, and conducting espionage with limited resources or repercussions."

"Our democracy remains susceptible to cybersecurity attacks; our computing infrastructure is permeated with deep vulnerabilities; major corporations entrusted with the safeguarding of information continue to be compromised and we as individuals have adopted a laissez-faire attitude towards the whole thing," the firm added.

Previous and related coverage