Our counterintelligence briefings warn of the risk from hostile intelligence services attempting to obtain the classified and unclassified information from those within the nation’s National Industrial Security Program (NISP) – for good reason. Adversaries are using malware and other techniques to set a hook within our infrastructure for long term exploitation.
Security researchers at Fireeye recently discovered a dedicated and determined effort to specifically target the defense industries in the United States and Korea. The adversaries (not identified with certainty, but given the target, one might jump to the conclusion it’s China, North Korea or Russia), used email as their entry point and counted on the recipient exercising poor cyber hygiene and opening an attachment.
The attack uses “FormBook.” According to FireEye “FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.” The attachments were mainly PDF (with downloadable links) and DOC and XLS files with malicious macros, as well as archive files (ZIP, RAR, ACE, and ISO) containing executable (EXE) payloads. All of which are initiated when the recipient “clicks” to open the attachment.
Once on the user’s device, any keystrokes, clipboard saves, login passwords or the like are compromised. You might as well kiss them goodbye.
What do these emails look like?
The FireEye researchers show a “DHL Delivery Update” used to compromise a target, by asking the user to print out the label or receipt to pick up the package. The researchers were able to review the url shortener links and noted that for PDF’s more than 700 individuals around the world opened the attachment and 71% of those were in the United States.
There is a concerted effort from within China to compromise the infrastructure of many nations. And while attribution to these FormBook attacks has not been determined to be China, it fits within the footprint of activity which has been documented by western governments from Germany, UK, US, and Australia.
Activities targeting the United States show they are using both cyber and HUMINT operations as their collection vehicles.
The unsurprising news? China is having great success.
It’s simple. If you aren’t expecting a package or a spreadsheet from your accountant, please don’t click on any email attachment, and if you are, please contact the entity directly and DO NOT EVER download an attachment without inspecting it first and being assured it is authentic.