A group of hackers has managed to breach both the European Union and the United Nations with the help of email-based phishing attacks, a security firm warned on Wednesday.
The hackers appear to be linked to the Chinese military, and have been stealing thousands of diplomatic cables from the EU's communication network, according to new research from Area 1, a cybersecurity firm that specializes in anti-phishing tools.
Area 1 has been investigating the attacks on the EU since last month, and managed to observe the hackers pilfering the diplomatic cables over the internet. The security firm was even able to pull copies of the stolen cables, which it then supplied to The New York Times for publication.
Other organizations hit by the attacks include trade unions and think tanks. But to first breach their targets, the hackers have been relying on unsophisticated phishing emails, which have been designed to simply trick recipients into handing over their usernames and passwords, Area 1's CEO Oren Falkowitz told PCMag.
The hackers have been directing their phishing schemes on network administrators and senior staff within the target organizations. By stealing the login credentials, the culprits can then gain entry into the internal network. In addition, a malware connected to Chinese hacking groups has also been used in past attacks to help establish a persistent backdoor into the victimized networks.
To transfer the stolen files out, the attackers have used public cloud services such as Google Drive. Once the heist is completed, they'll then attempt to scrub all evidence that the breach ever took place.
The EU said it's now investigating the suspected breach, which Area 1 said occurred over the computer network to a government office in Cyprus. "Of course, we take any report on alleged hacking of EU communication systems extremely seriously," said European Commission vice president Valdis Dombrovskis during a press conference. "What is clear is that no institution or country is immune to this type of attack."
The United Nations, on the other hand, said it had "no information" about a possible cyber breach occurring over the organizations' networks. "When cyberattacks, and attempted intrusions occur they are generally only reported internally, and for most incidents the United Nations does not have sufficient information to conclusively attribute such attacks," a UN spokesperson said in an email.
Area 1's CEO told PCMag his company notified relevant authorities about the hacking campaign about a week ago. However, the company is facing some criticism from other cybersecurity experts over supplying copies of the stolen EU diplomatic cables to The New York Times. By making the cables public, Area 1 received additional press attention for uncovering the phishing attacks, but at the expense of the EU.
It is unbelievable and imho not acceptable and un-ethical. — Christiaan Beek (@ChristiaanBeek) December 19, 2018
A few security researchers have also expressed doubts the phishing attacks can be blamed on the Chinese military, pointing to a lack of evidence collected by Area 1. "The intrusion is a non-story," said Juan Andrés Guerrero-Saade, a security researcher at Alphabet's cybersecurity firm Chronicle, over Twitter.
"It appears that you're regurgitating narratives sold by companies or sources with vested interests," he added in another tweet directed at a New York Times journalist.
Area 1 is based in Silicon Valley and was founded by former officials with the US National Security Agency. In response to the criticism, Falkowitz said his company provided the diplomatic cables to The Times so that the publication could help the cybersecurity firm confirm their authenticity. The documents themselves contain information from European diplomats about their thoughts on President Trump and EU relations with Russia and China. But Falkowitz said the content in the diplomatic cables didn't reveal "anything the public didn't already know."
"We shouldn't keep blaming the people who are trying to help. It just gives a free pass to the real issue," he said, denying the company had done anything wrong. By publicizing the attacks, Area 1's CEO said he hopes organizations will do more to take phishing threats seriously when malicious emails remain the most popular way for hackers to carry out their attacks.
"We should not be resigning ourselves to being defeated all the time," he said.
Editor's Note: This story has been updated with more information about Area 1 and the criticism around its decision to release the EU diplomatic cables.