* Czech Republic, Ireland, Portugal, Romania among targets
* Hackers infiltrated machines with infected PDF documents
* Researcher sees state involvement; others skeptical
By Jim Finkle
SAN FRANCISCO, Feb 27 Hackers targeted dozens of
computer systems at government agencies across Europe through a
flaw in Adobe Systems Inc's software, security
researchers said on Wednesday, while NATO said it too had been
attacked.
The alliance said its systems had not been compromised,
although it was sharing the details of the attack with NATO
member states and remained vigilant. Security experts say
governments and organizations such as NATO are attacked on a
daily basis - although the sophistication varies wildly.
These particular attacks appeared both widespread and
innovative, the private computer security firms announcing the
discovery said, with one expert saying he believed a
nation-state might be responsible.
Russia's Kaspersky Lab and Hungary's Laboratory of
Cryptography and System Security, or CrySyS, said the targets of
the campaign included government computers in the Czech
Republic, Ireland, Portugal and Romania.
They also said a think tank, a research institute and a
healthcare provider in the United States, a prominent research
institute in Hungary and other entities in Belgium and Ukraine
were among those targeted by the malicious software, which they
have dubbed "MiniDuke".
The researchers suspect MiniDuke was designed for espionage,
but were still trying to figure out the attack's ultimate goal.
"This is a unique, fresh and very different type of attack,"
said Kurt Baumgartner, a senior security researcher with
Kaspersky Lab. "The technical indicators show this is a new type
of threat actor that hasn't been reported on before."
He said he would not speculate on who the hackers might be.
The malware exploited a recently identified security flaw in
Adobe's software. Adobe said a software patch issued last week
should protect users from "MiniDuke" providing they downloaded
it.
Boldizsár Bencsáth, a cyber security expert who runs the
malware research team at CrySyS, told Reuters that he had
reported the incident to NATO, although it was not clear if that
was what first alerted the alliance.
Bencsáth said he believed a nation-state was behind the
attack because of the level of sophistication and the identity
of the targets, adding that it was difficult to identify which
country was involved.
Exactly how serious the attacks were was not immediately
clear, nor who exactly the targets were or at what level
European governments were alerted.
The Czech counterintelligence agency BIS said they were not
aware of any massive hacking attacks on Czech institutions from
abroad recently. The Czech National Security Bureau, responsible
for government data, was not immediately available for comment.
Neither were officials from other states said to be affected.
A NATO official in Brussels had earlier said the alliance
was not directly hit, but he said later that he had been
incorrect. He gave no further details.
The researchers, who declined to further elaborate on the
targets' identities, released their findings as more than 20,000
security professionals gathered in San Francisco for the annual
RSA conference.
USING ADOBE, TWITTER, GOOGLE
MiniDuke attacked by exploiting recently discovered security
bugs in Adobe's Reader and Acrobat software, according to the
researchers. The attackers sent their targets PDF documents
tainted with malware, an approach that hackers have long used to
infect personal computers.
The bugs were first identified two weeks ago by Silicon
Valley security firm FireEye. The firm reported that hackers
were infecting machines by circulating PDFs tainted with
malicious software.
The MiniDuke operators used an unusual approach to
communicate with infected machines, according to the
researchers. The virus was programmed to search for Tweets from
specific Twitter accounts that contained instructions for
controlling those personal computers. In cases where they could
not access those Tweets, the virus ran Google searches to
receive its marching orders.
Officials with Twitter and Google could not
immediately be reached.
Bencsáth said he believed the attackers installed "back
doors" at dozens of organizations that would enable them to view
information on those systems, then siphon off data they found
interesting.
He said researchers had yet to uncover evidence that the
operation had moved to the stage where operators had begun to
exfiltrate data from their victims.
Privately, many Western government and private sector
computer experts say China is the clear leader when it comes to
state-sponsored cyber attacks to steal information - although
they rarely say so publicly and Beijing angrily denies it.
According to cybersecurity expert Alexander Klimburg at the
Austrian Institute for International Affairs, however, the
closest attack to this in style was a Trojan dubbed "TinBa"
identified two months ago and used for banking fraud attacks.
That was suspected to have been built by Russian hackers, he
said, talking down the prospect of state involvement.
"There are some interesting aspects to the attacks," said
Klimburg, pointing to the use of Twitter. "(But) most of the
attack does not seem that new at all. Some of the... 'tricks',
such as using pictures to hide data, are more reminiscent of
proficient students rather than government agencies."