Targeted Malware Attack on Foreign Correspondents based in China



There’s a new Infowar Monitor blog post by Greg and I on the targeted malware attack on foreign correspondents based in China. The case is interesting to me because of the connections to other attacks that have been investigated by others, including Maarten Van Horenbeeck, F-Secure, ThreatExpert, and us in the past.

For me, it illustrates that we need to share information about these attacks rather than keep it all to ourselves. If incidents are treated as isolated cases the bigger picture and broader implications can’t be well understood. It is important to recognize that the same attackers are targeting a wide variety of organizations — not just yours :). The flip side is that the attackers become aware of what we know about them, and it may blow surveillance. But at this point I think it is more important to understand the broader pattern and significance of the attacks. Moreover, it is important to understand the motivations behind the attacks and at this point the best way of doing that is looking at the targets of the attackers and fitting them into a broader contextual analysis.

Anyway, I just want to say thanks to Van Horenbeeck, F-Secure (Mikko), and ThreatExpert.

One comment.

  1. I agree Nart. At this point the sharing of information on methodologies and tools is more important than the risk of burning a particular operation. The lack of security around the control servers that you and others have found indicates poor trade craft and I would postulate that these are either amateur operations or sacrificial operations. How would future research into these activities be conducted if one assumed that there are more clandestine operations that actually incorporate good trade craft? I am thinking infiltration.

Post a comment.