European Union’s COREU Network Hacked, Confidential Diplomatic Cables Stolen

Area 1 Security has publicly disclosed that cyber attacks against European Union’s diplomatic cables are happening for quite a while, allegedly by Chinese hackers who targeted the COREU network. A diplomatic cable, also known as diplomatic correspondence or embassy cable is a short message sent confidentially between the consulates/embassies or foreign dignitaries of two or more countries. These messages are treated with the highest level of classification with strong encryption and can only be unlocked by the receiving party.

“Our mission is to eliminate phishing. Through the course of our normal business, we often discover the origins and outcomes of cyber campaigns. The cybersecurity doom narrative has become so embellished that we have lost the nerve to take action. Cybersecurity needs an optimistic all-out assault on the problem, that starts by seeing cyber attacks for what they are, routine assembly line operations, neither extraordinary or insurmountable to defeat. Cyber campaigns continue to be the essential tool for waging war, influencing global trade, theft of intellectual property and financial assets, espionage and other geopolitical effects with minimal resources or repercussions,” explained Oren Falkowitz, Area 1 Security’s Chief Executive Officer.

Area 1 Security found indications that Beijing-sponsored hackers are behind the breached diplomatic cables, with the earliest copies were three years ago, in 2015. The COREU Network is EU’s link to the rest of twenty-eight European Union-member states. Three organs of the European Union are the main users of the mentioned network, the European Commission, the Council of the European Union and the European External Action Service.

“Our report is not the first to expose a specific cyber campaign, nor will it have a direct impact on deterring the actors responsible. But it does show three consistent facts about cyber campaigns that make them unremarkable. 1. Phishing remains the dominant method through which cyber actors gain access into computer networks 9 out of 10 times. 2. Cyber attacks are more assembly line than individual snowflakes. Very little about this or any other cyberattack is cutting edge computer science 3. Cyber actors continually use their imagination to find the weakest links in the digital chain, as we show here in attacking the MFA of Cyprus to gain access to the entire European Union diplomatic communications network. Our attribution of this campaign is based on extensive technical analysis and over a decade of experience countering Chinese cyber operations” added Blake Darche, Area 1 Security’s Chief Security Officer, who also was an ex-NSA officer.

COREU was penetrated from the outside using phishing attacks, this enables backdoor access to a low privilege account that grants basic capabilities to the threat actors. They then infected the system using malware named PlugX, opening more loopholes in the network. The attacks had a specific mission, to focus on what specific information is exchanged between the EU and their partners in the regions outside of Europe. Hackers use Steganography to ‘smuggle’ the information they stole from the network by deliberately compressing the stolen files in a zip file, adding a password to open protection and deliberately rename the zip files as a ‘.txt’ file. As a text file, it can be divided into different text files and sent it to the hackers through public cloud-storage infrastructure like Google Drive. This bypasses the intrusion prevention systems which usually monitors bulk sending of files.

“IT security remains a nightmare within the EU, not only because of the technical challenge of harmonizing 28 IT security systems but also because of the incentive countries have to leak confidential documents to non-EU allies,” said Federica Bicchi, London School of Economics Professor, who is very familiar with the inner workings of the COREU network.