The tactics were “unremarkable” but the results were extraordinary.
Chinese government hackers using basic phishing methods were able to infiltrate the European Union’s communication network, possibly for years, according to a Dec. 19 report by Area 1, a cybersecurity firm that specializes in anti-phishing activity.
Information about the alleged hack come as the European Union and other organizations have warned about the danger of spearphishing tactics.
The cyberattack was part of a broader hacking campaign by the Chinese government against the United Nations and the AFL-CIO, one of the United States' largest unions, according to the firm.
“Very little about cyberattacks is cutting-edge computer science,” the report said, concluding that “there is a high level of creativity in the diverse phishing lures used to gain access,” to a victims network.
An email to the Chinese embassy in Washington D.C. was not returned.
The New York Times first reported on Area 1’s findings, and the cybersecurity firm provided the newspaper with over 1,000 stolen cables from the European Union, which raised concern of experts.
According to a timeline laid out by the firm, the hackers used a simple plan to hack into governments, trade unions and think tanks.
Initial access was first gained through phishing attacks against network administrators and other senior staff members to steal their usernames and passwords.
Phishing attacks are among the most popular methods of entry for hackers and account for 41 percent of all digital fraud cases, according to an August report from the cybersecurity company RSA.
The European Union has advocated for the use of machine learning to prevent phishing attempts, a tactic the group’s leaders said they expect to rise in popularity in the coming years.
“More than 80% of cyber attacks and over 70% of those from nation states are initiated by exploiting humans rather than computer or network security flaws,” according to a fact sheet the Defense Advanced Research Projects Agency. A DARPA project experiments with using automated learning to warn users of phishing attempts.
“The fundamental weakness of cyber systems are humans,” the project’s description read.
In the case of the Chinese government, armed with the stolen credentials via phishing, the hackers created a backdoor inside the system to help the attacker map the network architecture.
“Once initial access to a machine is established, the attacker determines what other machines can be connected to, what data is available on those machines, and then rinses and repeats,” the report said.
When files were ready to be removed from the network they were sent to commercial could services such as Google Drive using publicly available tools. Google Drive was just one of the publicly available services that the hackers utilized during the breach, Area 1 said.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.