FireEye Finds Chinese APT Group Attacked Hong Kong Media Outlets


FireEyeFireEye has released the results of its research into a recent campaign carried out by a Chinese cyber threat group – referred to as “admin@338” – targeting Hong Kong-based media organizations.


“Screenshots of spear phishing emails admin@338 sent to journalists”

In August, the group sent spear phishing emails about newsworthy developments with malicious attachments to Hong Kong-based media organizations, including newspapers, radio, and television outlets. One email referenced the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. Another email referenced a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.

The group employed malware called LOWBALL which abuses Dropbox, a legitimate cloud storage service, for command and control purposes. When FireEye researchers alerted Dropbox to the group’s activities, Dropbox promptly blocked the access token used by LOWBALL. In doing so, Dropbox disrupted the group’s command and control capabilities in all observed versions of the malware.

FireEye has observed targeted attacks by multiple Chinese threat groups on journalists at international and domestic media organizations in Asia. These attacks have often focused on Hong Kong-based media, particularly those that publish pro-democracy material. Journalists located in Taiwan, Southeast Asia, and elsewhere in the region have also been targeted.

“Journalists in Asia are routinely subject to these targeted cyber attacks. They are dependent on information from many different sources, which makes them easy to target. The information journalists have and the identity of their sources can be valuable intelligence. Without adequate technological defenses, they make easy victims,” said Bryce Boland, chief technology officer for Asia Pacific at FireEye.

FireEye has tracked admin@338’s activity since 2013. The group has largely targeted organizations involved in financial, economic, and trade policy. FireEye first observed the group targeting media outlets in April 2015.

The group’s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the Traditional Chinese script commonly used in Hong Kong.

In April, FireEye released a report on APT30, a Chinese-linked group which waged a decade-long cyber espionage campaign on Southeast Asia and India. APT30 also targeted journalists, but FireEye has not observed any direct links between that group and admin@338.

Find additional details in a post from FireEye Threat Intelligence:

About FireEye, Inc.
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 4,000 customers across 67 countries, including 650 of the Forbes Global 2000.