updated 6/5/2013 1:49:32 PM ET 2013-06-05T17:49:32

Moscow-based Kaspersky Lab, famous for discovering sophisticated spyware linked to the U.S. government, has revealed a large, long-lasting cyberespionage campaign that seems to come from China.

Called "NetTraveler," the malware behind it all dates back to "as early as 2004," though most of its activity has been in the past three years, the Kaspersky Global Research and Analysis Team said in a report released today (June 4).

The Kaspersky report never explicitly states that NetTraveler is a product of the Chinese government, or even originates in China.

But its targets — diplomatic, governmental and military institutions, as well as the aerospace and infrastructure industries, of 40 countries — match those of previously revealed " advanced persistent threat " campaigns assumed to have the backing of Beijing. 

"Based on collected intelligence, we estimate the [controlling] group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language," the report states.

The most highly targeted countries all share land borders with China — Mongolia, Russia, India, Kazakhstan and Kyrgyzstan.

"The NetTraveler group's main domains of interest for cyberespionage activities include space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications," said the report.

Western companies in almost all those categories have been targeted by Chinese hackers, with crippling results for some renewable-energy and telecommunications firms.

[ 13 Security and Privacy Tips for the Truly Paranoid ]

The method of infection is also familiar to anyone who's studied Chinese cyberespionage.

"NetTraveler victims get infected through spear-phishing attacks using Office documents which exploit two publicly known vulnerabilities," the report stated. "Although these vulnerabilities have been patched by Microsoft, they remain effective and are among the most exploited in targeted attacks."

Subject lines of some of the spear-phishing emails were targeted at Indian officials and Tibetan dissidents.

They included "His Holiness the Dalai Lama's visit to Switzerland Day 4," "Army Cyber Security Policy 2013" and "BJP won't dump Modi for Nitish NDA headed for split," referring to prominent Indian politicians.

Once inside a computer, the NetTraveler malware copies and sends Word, Excel, PowerPoint, PDF and AutoCAD files to more than 100 command-and-control servers, most of which are in the United States, China and Hong Kong.

However, the methods used by NetTraveler and its controllers were not terribly sophisticated, especially when compared with previous Kaspersky spyware discoveries such as Flame or Gauss. But perhaps they didn't need to be.

"We did not see any advanced use of zero-day vulnerabilities or other malware techniques such as rootkits," the report said. "It is therefore surprising to observe that such unsophisticated attacks can still be successful with high-profile targets."

Follow Paul Wagenseil @snd_wagenseil. Follow us @TechNewsDaily Facebook  or Google+.

© 2012 TechNewsDaily


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments