China behind massive diplomatic cyberespionage campaign

The European Union’s diplomatic communications have been compromised by the Chinese Strategic Support Force (SSF) of the People's Liberation Army (PLA), resulting in thousands of diplomatic cables being intercepted, according to a new report.

The report, Phishing Diplomacy, conducted by Area 1, identifies more than 100 organizations targeted by the Chinese government. The initial stage of the cyber espionage campaign was noted in 2015, when the company found technical artifacts related to a campaign directed against various EU ministries of finance, foreign affairs and other groups.

In 2018, Area 1 observed that the SSF had gained access to the critical computer network of the Ministry of Foreign Affairs of Cyprus, a communications network called COREU that is used by the European Union to facilitate cooperation on foreign policy matters.

“This network, known as COREU, operates between the 28 EU countries, the Council of the European Union, the European External Action Service, and the European Commission. It is a crucial instrument in the EU system of foreign policymaking,” the report states.

Initial access to the network was gained using a phishing attack against network admins and senior staff to steal their login credentials. With these, the attackers gained direct access to COREU, and used their high-level privileges to install backdoors and establish a connection to the Chinese command and control server.

Once established inside the network, the malware would conduct a recon mission, cataloging and mapping the system, identifying desired data and then preparing it for exfiltration. The attackers also took specific steps to maintain persistence and avoid detection.

“In some instances, we observed SSF splitting large files into smaller parts using the -v command option. The intent is to spread the volume of data taken at a given time to avoid anomaly detection and large network spikes of outbound data volumes,” the report said.

Once prepared, the data would then be moved to public cloud services using a publicly available tool.

The report does not detail the specific data points that were stolen, but it doescontain a list of the various EU Council working bodies whose cables were intercepted. These included:

  • Criminal Appeal Court
  • Foreign Affairs Ministers
  • United Nations
  • Consular Affairs
  • Non-proliferation
  • Security
  • European Council
  • Human Rights

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.