Hong Kong journalists and activist groups were targeted by Chinese hackers, according to information from FireEye. This attack is part of a new trend where hackers go through social networking and cloud storage devices to foil detection efforts. There is some speculation in the media that it may have happened on a government level, possibly with the Chinese government involved.
FireEye released details about the attack earlier this week stating it was a uncategorised as an advanced persistent threat which analysts identified as having initially used a spear-phishing campaign. At this point it is unclear who is responsible for the attacks although it is speculated that it was a group identified as admin@338. The group used email messages with a 'Lowball file'.
Once the Lowball file has been downloaded it will execute a command to download two other files. One of these files act as a program to execute commands sent to the compromised device, while the other receives the commands and relays them to the main program. These files act as a basic remote access trojan which allow for the group to get information and scout out the device. If a device is deemed valuable another program, called bubblewrap, is installed to their Dropbox account, which allows the group to gain almost complete control of the system and starts running during the boot process.
This same program has been used by admin@338 before and can be traced to an IP address previously linked to it, although the address had not been used for some time. Previous links to this group have been mainly attributed to financial, economic and trade policy. It appears that it has recently moved to targeting Hong Kong media companies, possibly in response to new political unrest. The group seems to be mainly using publicly available RATs such as Poison Ivy.
It is believed this group is possibly linked to the Chinese government although no official ties have been made. There is strong evidence to suggest this due to the fact that the attack coincided with the Chinese government labeling pro-democracy movements as a criminal offence. Also the attacks seem to have targeted organisations with precisely the information Beijing would most likely seek to monitor. The Chinese government has also been faced with protests in Hong Kong, which it may be looking to monitor and tackle before they unravel.
After this breach in security was reported FireEye and Dropbox worked together and have since introduced countermeasures into their system. However it is possible that there are multiple versions of this software and FireEye believes there may be a second attack at some point soon. Although Dropbox may have been the target, Nick Rossman,threat intel manager at FireEye stated: “We don't believe that people or companies should be wary of using Dropbox or other open cloud services. In this instance, we have not observed Dropbox itself being compromised; the threat actors were using Dropbox as other “legitimate” users would.”
However, Nick Rossman makes the point that although Dropbox may be safe, the threat of using a cloud service like Dropbox is very real and companies should be aware of it. He notes that it its very common for people to use a service like Dropbox and companies should take relevant precautions to make it harder for hackers to access them in this way - especially as it allows them to hide very easily in the background and not get discovered.