Spear-Phishing Operation Targets Senior US Officials

Tuesday, August 16, 2011



According to an article in ComputerWorld, a security researcher has documented what is the latest in a long campaign of Gmail spear-phishing operations aimed at senior U.S. government officials that have been traced to China.

The bogus emails are designed to appear as distribution of a real report from from the Center for a New American Security (CNAS) which is titled, "Blinded: The Decline of U.S. Earth Monitoring Capabilities and its Consequences for National Security".

"Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to look like a subscription form offering to enter Gmail credentials to activate it," said Mila Parkour, an independent security researcher who has been studying the operation.

Once the target has entered their login credentials, the information is immediately sent to the attackers, who quickly access the account to harvest potentially sensitive information.

"The password thieves did not delay and logged in less than two hours after the compromise," Parkour noted.

The spear-phishing emails have been traced to servers in Taiwan which have been used for malicious activity in the past, and Parkour discovered that the stolen login credentials are being sent to the attackers via servers in Texas.

"Google are aware of this, [but] there is not much they can do to prevent these from coming in," said Parkour, who advises everyone who uses the Gmail service to activate the two-factor authentication option.

In early June of this year, Google claimed to have disrupted an email hijacking campaign aimed at monitoring the communications of senior U.S. officials, military personnel, journalists, Chinese political activists, and officials in several Asian countries using similarly stolen account login credentials.

While Chinese officials had released statements indicating that any assertion that the Chinese government was involved with the operation is a "fabrication out of thin air," the U.S. government took the allegations quite seriously, and reports indicated that the FBI, DHS and NSA all joined in the investigation.

U.S. Secretary of State Hillary Clinton at the time commented that, "we are obviously very concerned about Google's announcement regarding a campaign that the company believes originated in China to collect the passwords of Google email account holders."

Similar attempts to infiltrate government systems came to light in February of this year when it was discovered that a series of emails were sent in 2009 to five State Department officials requesting comment on climate change issues.

The emails were spoofed to appear to have originated from The National Journal’s editor and columnist Bruce Stokes, and were titled "China and Climate Change”.

At the time, the State Department officials who were targeted were engaged in sensitive negotiations with the Chinese government on greenhouse-gas emissions. The emails contained attachments infested with malware that would have allowed the attackers access to the recipient's computers by way of a backdoor.

Parkour said that even in the wake of media coverage and admonitions from the U.S. government, the attackers obviously remain undaunted, as the latest operation reveals.

"Once compromises happen and are covered in the news, they do not disappear and attackers don't give up or stop. They continue their business as usual," Parkour told ComputerWorld.

"Attackers... continue their efforts with a very slight modifications to the original themes.".

Possibly Related Articles:
Google Passwords Gmail China Government Attacks Headlines Espionage spear-phishing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.