Chinese hackers have been using files relating to diplomacy and human rights as ruses to steal data from UK and European systems (Picture: Getty/Check Point)
A sophisticated Chinese cyber-attack aimed at stealing UK and European foreign policy data has been tracked by investigators monitoring a global online battlefield.
The ‘extremely targeted’ SmugX campaign is designed to harvest sensitive information from government foreign ministries and diplomats.
One of the baits — known as a ‘lure’ — designed to dupe targets is a news story about China jailing two human rights lawyers for ‘subversion’.
The likely state-sponsored campaign uses HMTL smuggling, where ‘malicious payloads’ are typically hidden inside seemingly innocuous documents and web pages.
The attack has been identified as part of a wider shift by Chinese hackers to steal foreign policy data from government IT systems in the UK and Europe.
SmugX has been active since at least December 2022 but has been part of the escalated China-originated attacks over the last three months.
The graphic shows how France, Hungary, Sweden, the Czech Republic, Slovakia, Sweden and Ukraine have also been targeted, with foreign ministries and embassies in the hackers’ sights.
The campaign by a Chinese threat actor has been dissected by Check Point Software, a US-Israeli cyber-security company.
To view this video please enable JavaScript, and consider upgrading to a web
browser that
supports HTML5
video
The news agency report about the human rights lawyers being jailed was found by the researchers to have been aimed specifically at UK targets as a form of Trojan horse aimed at gaining access to their data.
Sergey Shykevich, threat group manager at Check Point Software, told Metro.co.uk that the evidence strongly suggests foreign policy was targeted.
‘This attack wasn’t widespread, but extremely targeted and sent only to specific targets that the campaign operators wanted to infect with malware,’ he said. ‘We assess that the information being sought was mostly sensitive information on foreign policy of the targeted countries.
‘Based on previous publications about this group, the operators are most likely related to the Chinese government.’
The hackers also used a letter originating from the Serbian embassy in Budapest, a Swedish document relating to the country’s presidency of the Council of the EU and an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs as lures.
A map shows how the UK and Europe have been targeted by the China-originated SmugX attack (Picture: Check Point/checkpoint.com)
Once an unsuspecting user clicks on one of the HTML documents it automatically triggers the download of a JavaScript or ZIP file, and when the target clicks on this it activates an infection chain.
Researchers at Check Point examining another infected document about China trying to block a prominent Uyghur speaker at the UN also identified a single pixel image which was acting as a reconnaissance tool.
The pixel-tracking technique gives hackers information about the target’s IP address and other details about their web use.
While SmugX utilises existing techniques, the specific campaign is thought to have hitherto had a low detection rate.
The operation falls within a global cyber battlefield shown by Check Point in a live, real-time map tracking attacks in progress across the world.
The dashboard was used at the Midland Fraud Forum’s annual conference in Birmingham last month as part of a talk informing the audience about online threats and ways to prevent them.
One of the ‘lures’ used in the SmugX campaign aimed at delivering a payload onto targets’ computers (Picture: Check Point/checkpoint.com)
SmugX, which has been linked to earlier attacks known as RedDelta and Mustang Panda, falls within an emerging picture of China targeting Western nations with a massive array of online and offline spying operations.
It’s unclear how successful the hackers have been but according to Check Point the tool had been ‘under the radar’ until early 2023.
The Intelligence and Security Committee, parliament’s intelligence watchdog, said on Thursday that Beijing’s state intelligence apparatus was ‘prolifically and aggressively’ targeting the UK.
Committee chair Sir Julian Lewis MP warned that an ‘increasingly sophisticated cyber-espionage operation’ was part of wide-ranging espionage activities operated by China.
Sergey Shykevich has been involved in tracking cyber attacks emanating from China (Picture: Check Point/checkpoint.com)
Check Point has been detecting and monitor the cyber realm using intelligence from a sophisticated artificial intelligence-powered system called ThreatCloud AI. The tool, regarded as the ‘brain’ of the operation, is able to make 21 billion security decisions daily on whether a link or file is malicious and should be blocked to protect a user.
The multinational company, which is headquartered in Tel Aviv, says it also has 150 ‘elite’ researchers and security engineers investigating the latest attacks to uncover new threats and enrich ThreatCloud.
‘The tracking is done on several levels, relating to different ways the malware operates, as well as specific indicators and file types the malware is using. ‘ Mr Shykevich said.
Cyber attackers are operating in a global battlefield with the lines between civilian and military actors increasingly being blurred (Picture: Getty)
‘When we identify an initial hint to a new campaign, our goal is to build a full picture of how the malware operates, how the infection is carried out, what the attacker’s goals are and who the attacker is.’
Suspected Chinese espionage activities carried in the UK include the case of a tracking device capable of transmitting location data being discovered inside a UK government car used to carry diplomats and senior officials. At least one SIM card was discovered during a security sweep of the vehicle imported from China, according to a report in 2023.
Earlier this week, Beijing denied a Microsoft report that a hacking group based in the country had gained access to email accounts linked to 25 organisations, including Western government agencies.
Wang Wenbin, a Chinese foreign ministry spokesman, said the report was ‘disinformation’ aimed at diverting attention from US cyber-espionage aimed at the far east country.
Responding to the parliamentary committee, Rishi Sunak highlighted measures to tighten Britain’s counter-espionage laws, including through the National Security Act, which became law on Tuesday.
As the laws came into force, MI5 director general Ken McCallum said: ‘We face state adversaries who operate at scale and who are not squeamish about the tactics they deploy to target people and businesses in the UK.
‘The National Security Act is a game-changing update to our powers.
‘We now have a modern set of laws to tackle today’s threats.’
MORE : ‘Cyber battlefield’ map shows attacks being played out live across the globe
Do you have a story you would like to share? Contact [email protected]
The SmugX attack used a news story about human rights in China as a ruse to try and trick British targets.