FireEye [FEYE] found two cyber groups linked to China’s military and intelligence agencies have recently launched attacks on South Korea’s government after South Korea said it would deploy the THAAD missile defense system, according to a report in the Wall Street Journal Friday.
FireEye’s director of cyberespionage analysis, John Hultquist, told the publication that normal Chinese hacking of South Korean targets increased in number and intensity in recent weeks after the South Korean government said it would deploy the Terminal High Altitude Area Defense (THAAD). The U.S. military is in the process of fielding a THAAD battery with South Korea in response to North Korea’s missile and nuclear weapons developments (Defense Daily, April 17).
The attacks are reportedly aimed at South Korea’s government, military, defense companies, and a large conglomerate but FireEye would not name the specific targets. South Korean agencies are clients of the company.
One of the two groups, called Tonto Team by FireEye, is connected to China’s military and operates out of Shenyang in the country’s northeast. Shenyang has several North Korean businesses and reportedly is a center for that country’s hackers. The company believes the other hacker group, called APT (Advanced Persistent Threat) 10 may be linked to other Chinese intelligence or military units, according to the report.
Hultquist said the hackers gained access to target systems using web-based intrusions and by tempting personnel to click on malicious email attachments or compromised websites, a tactic known as phishing. He also said that an error in one of the hacker group’s operational security provided FireEye analysts with new information about their origins.
Last month South Korea’s Ministry of Foreign Affairs said in a press briefing it was the target of several distributed denial-of-service (DDOS) cyber attacks following the deployment of THAAD, according to South Korea’s state-funded Yonhap News Agency.
“Several on-and-off DDoS attack attempts originating from China have taken place on websites including that of the Ministry of Foreign Affairs,” spokesman Cho June-hyuck said March 28. He noted the government took defensive action and no sustained damage took place.
“Our government pays attention to the Chinese government’s expression of its consistent stance that it opposes any kind of cyberattack, The government is expecting that [China] will continuously take responsible steps in accordance with the stance,” the spokesman added.
The report also said Russia’s Kaspersky Lab observed a wave of attacks on South Korean targets starting in February using malicious software that seems to have been developed by Chinese speakers.
The two hacking groups were reportedly joined by independent pro-Chinese hackers, known as hacktivists, using names like the Panda Intelligence Bureau and Denounce Lotte Group. South Korea’s Lotte Group has been a target for Chinese ire after it approved a land swap letting the THAAD battery to be deployed on a company golf course.
Earlier this month FireEye published a blog post about APT 10’s recent activities which itself came after a joint blog post by Britain’s BAE Systems and PricewaterhouseCoopers (PwC) on the same topic. FireEye highlighted that APT 10 is a threat to international organizations and that “their abuse of access to service provider networks demonstrates that peripheral organizations continue to be of interest to a malicious actor – especially those seeking alternative angles of attack.”
FireEye said APT 10 operations may slow down following the BAE/PwC blog but that it still believes “they will return to their large-scale operations, potentially employing new tactics, techniques and procedures.”