Malaysian investigators 'hacked' for confidential MH370 records

Around 30 computers at Malaysian law enforcement agencies looking into the disappearance of the MH370 airplane have reportedly been hacked, with perpetrators making off with confidential data on the aircraft.

APT attacks use 'news of doomed flight MH370'
APT attacks use 'news of doomed flight MH370'

Asia News Network today reports that the computers of ‘high-ranking officials' in agencies involved in the MH370 investigation were hacked with classified information stolen.

This information was apparently pilfered from approximately 30 computers at Malaysia's Department of Civil Aviation, the National Security Council and MAS, and was being sent to a computer in China before CyberSecurity Malaysia – the Ministry of Science, Technology and Innovation agency – intervened to shut down the infected machines and stop transmissions at the internet service provider (ISP).

The point-of-entry for the attack appears to be a spear phishing attack, with a malicious executable file (made to look like a PDF) included as a link. On clicking on this attachment, the user's machine would be infected with malware, allowing the hacker to gain access to their PC and send stolen information back to an IP address in China.

The email, entitled ‘Over the South China Sea' and dated on March  9 – just one day after the aircraft went missing, contained ‘sophisticated' malware that was disguised as a news article reporting on the missing Boeing 777, which was lost one-hour after take-off from Kuala Lumpur and with 239 people on-board.

"We received reports from the administration of the agencies telling us that their network was congested with email going out of their servers," said CyberSecurity Malaysia chief executive Dr Amirudin Abdul Wahab.

"Those email contained confidential data from the officials' computers including the minutes of meetings and classified documents. Some of these were related to the MH370 investigation."

Responding to the news, Simon Eappariello, SVP for EMEA at security vendor iBoss Network Security, told SCMagazineUK.com that the attack looks like an advanced persistent threat (APT).

"The Malaysian Airlines MH370 investigation email hack was APT class so it's unsurprising that it went undetected by anti-virus and other legacy signature-based security layers,” he said by email. 

“This particular piece of malware was quadrophonic in its disguise: it displayed Spear Fishing characteristics because it attacked just one organisation; was covertly crafted as the payload had not been used in the wild before; was written to search and then exfiltrate data bypassing traditional security layers that are not monitoring all ports; and was in all likelihood being controlled by a central command and control server and downloading additional programmes to aid its attack. 

He added: “To prevent these kinds of sophisticated attacks from prevailing, a new security technique that profiles the behaviour of networks is needed - one that defines normal server behaviour and looks at what is suspicious to prevent data from being siphoned out of big data sets.”

Brian Honan, founder and consultant at BH Consulting, told SC that it doesn't have ‘the hallmarks of a sophisticated attack as the methods used are quite common amongst criminals and activists.'

“We have no details on the malware used only that it was not detected by the anti-virus software installed on the targeted machines.  Without knowing what anti-virus software was being used, how up to date it was, or having details on the malware itself it is difficult to judge how sophisticated the malware was,” he said.

“What indicates to me though that this was not a sophisticated attack was the detection of the attack by the volume of emails sending out the data. A sophisticated attacker would ensure the exfiltration of data would be much more difficult to detect.”

Questioned on the possibility of state-involvement, with officials citing a Chinese IP address, he said it would be hard to gauge: “That's the problem, without more information we are only speculating. I would expect a state sponsored attack to be more subtle and not be detected so easily.”