Anti-Phishing, DMARC , Cybercrime , Cyberwarfare / Nation-state attacks

Hackers Intercepted EU Diplomatic Cables for 3 Years

Phishing Attack Against Cyprus Stole Access Passwords, New York Times Reports
Hackers Intercepted EU Diplomatic Cables for 3 Years
The headquarters of the European Commission in Brussels (Photo: Kevin White, via Flickr/CC)

For the past three years, hackers have been intercepting sensitive diplomatic cables sent between EU member states after stealing passwords for accessing the EU network via a phishing attack against diplomats in Cyprus, The New York Times reported late Tuesday.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

The attack was discovered by Area 1, an anti-phishing firm based in Redwood City, California, that was founded in 2013 by three former National Security Agency officials. Area 1 researchers said that after hackers copied the cables off of a secure EU network, they had been posting them onto an open internet site, which was where the researchers found them. The company has shared more than 1,100 of the stolen EU cables with The New York Times.

Area 1 didn't immediately respond to a request for comment on the Times report, which says the same group of hackers also appears to have penetrated more than 100 other institutions and organizations, including the United Nations, the American Federation of Labor and Congress of Industrial Organizations - better known as the AFL-CIO - as well as "ministries of foreign affairs and finance worldwide," in some cases for years.

But Oren Falkowitz, CEO of Area 1, told the Times that the hacking group gained access to the EU network, called COREU, via a phishing attack against government systems in Cyprus - one of the 28 EU member states - on which they found passwords that allowed them to access COREU.

"People talk about sophisticated hackers, but there was nothing really sophisticated about this," Falkowitz said.

Britain's signals intelligence agency, GCHQ, didn't immediately respond to a request for comment on the theft of EU diplomatic cables.

"Hackers will always seek out the weakest spot: the easiest way in," Alan Woodward, a professor of computer science at the University of Surrey, tells Information Security Media Group. "I suspect they found Cypriot government systems slightly less prepared for their attacks than others in the EU. But, of course, it allowed them into the parts of the systems that then meant they could read messages intended for many countries as well as Cyprus."

Revealed: Diplomacy, Negotiation Strategies

The New York Times reports that the cable theft shows hackers attempting to glean information on every possible aspect of EU diplomacy and negotiation. The cables include details of European foreign policy, as well as strategies for working with - and around - U.S. President Donald Trump, including emphasizing the EU's own interests in everything from trade to Brexit and working directly to Congress whenever possible, according to the Times' review of the cables.

Excerpt of a cable written by the European External Action Service - the EU diplomatic service and foreign and defense ministry - about the 20th EU-China Summit, held in Beijing on July 16, 2018

The cables also reveal European diplomats' potentially contentious take on global affairs. For example, a July 20 cable from the European External Action Service - the EU diplomatic service and foreign and defense ministry - written by the EU delegation in Russia includes an analysis of the Helsinki summit held that month between Trump and Russian President Vladimir Putin, concluding that it was "successful (at least for Putin)."

"Moscow now waits for the calming of emotions in Washington," the cable reads (see: How Trump Talks About Russian Hacking).

European Council Probes Alleged Leak

The General Secretariat of the Council, which is the body of staff responsible for assisting the European Council, tells ISMG in a statement that it "is aware of allegations regarding a potential leak of sensitive information and is actively investigating the issue."

But it declined to comment further on any specifics. "The Council Secretariat does not comment on allegations nor on matters relating to operational security," it says in its statement. "The Council Secretariat takes the security of its facilities, including its IT systems, extremely seriously."

Woodward says the duration of the attack and apparent failure of the EU to spot it are cause for alarm. "The fact that this went on for three years is troubling. It shows that you can have very strong partners in an alliance like the EU - I like to think the U.K. has excellent skills and is good at protecting its government systems - but as a member of such an alliance you are reliant on everyone else being as strong," he says. "Sadly, that's not always the case."

Signs of Chinese Hacking

Researchers at Area 1 say the hack attacks appear to have been carried out using tactics that have been regularly employed by the Strategic Support Force of the People's Liberation Army, which is a group that formerly belonged to the Chinese signals intelligence agency, known as 3PLA.

"After over a decade of experience countering Chinese cyber operations and extensive technical analysis, there is no doubt this campaign is connected to the Chinese government," Area 1 researcher Blake Darche told the Times.

The Chinese Embassy in Washington didn't immediately respond to a request for comment on those allegations.

In terms of the potential identity of the hackers, Woodward says China would not be the only government attempting to mount this type of operation. "Intelligence agencies all over the world will be trying this type of operation," he says.

European officials told the Times that they're in the process of replacing COREU with a more secure system called EC3IS, and that all confidential, secret and "tres secret" material is already handled via a different and more secure system.

The EU's compartmentalized approach to its diplomatic communications - including using more secure systems for even more sensitive information - suggests that officials are aware of the risk posed by any system that allows access to so many individuals in so many different nations. But even non-classified material, including official communications, "can be a treasure trove for intelligence agencies," Woodward says.

Life After WikiLeaks

This isn't the first time that sensitive diplomatic or political communications have been intercepted or revealed en masse.

In 2010, WikiLeaks released tens of thousands of U.S. diplomatic cables and military documents from the Iraq and Afghanistan conflicts, which had been leaked to the site by Chelsea Manning, the U.S. Army intelligence analyst formerly known as Bradley Manning (see: Obama Commutes Sentence of WikiLeaks Leaker Manning).

The State Department cables, written in sometimes frank and unguarded language by diplomats, embarrassed the U.S. government, and the military documents raised serious concerns over civilian casualties.

More recently, emails stolen from the Democratic Congressional Campaign Committee, the Democratic National Committee and the 2016 presidential campaign of Hillary Clinton were leaked by Guccifer 2.0. In July, the U.S. Department of Justice unsealed an indictment against 12 Russian intelligence officers that accused Russia's GRU military intelligence service of having hacked the targets and released the documents as part of Moscow's attempt to influence U.S. elections, including using Guccifer 2.0 as a front (see: 10 Takeaways: Russian Election Interference Indictment).

In comparison to those two campaigns, however, experts tell the Times that the EU diplomatic cables never appear to have been purposefully leaked, and that this operation appeared to be a pure espionage play.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.