Hackers targeted dozens of computer systems at government
agencies across Europe in a series of attacks that exploited
a recently discovered security flaw in Adobe Systems Inc's
software, security researchers report.
Russia's Kaspersky Lab and Hungary's Laboratory of
Cryptography and System Security, or CrySyS, said the targets
of the campaign included government computers in the Czech
Republic, Ireland, Portugal and Romania.
They also said a think tank, a research institute and a
healthcare provider in the United States, a prominent
research institute in Hungary and other entities in Belgium
and Ukraine were among those targeted by the malicious
software, which they have dubbed "MiniDuke".
Boldizsár Bencsáth, a cyber security expert who runs the
malware research team at CrySyS, told Reuters that he had
reported the incident to NATO's Computer Incident Response
Capability, a group that analyzes and responds to cyber
The researchers suspect MiniDuke was designed for espionage,
but were still trying to figure out the attack's ultimate
"This is a unique, fresh and very different type of attack,"
said Kurt Baumgartner, a senior security researcher with
Kaspersky Lab. "The technical indicators show this is a new
type of threat actor that hasn't been reported on before."
He said he would not speculate on who the hackers might be.
Bencsáth said he believed a nation-state was behind the
attack because of the level of sophistication and the
identity of the targets, adding that it was difficult to
identify which country was involved.
Exactly how serious the attacks were was not immediately
clear, nor who exactly the targets were or at what level
European governments were alerted.
The Czech counterintelligence agency BIS said they were not
aware of any massive hacking attacks on Czech institutions
from abroad recently. The Czech National Security Bureau,
responsible for government data, was not immediately
available for comment. Neither were officials from other
states said to be affected.
A NATO official said the alliance was aware of the reports
and was assessing the details, but that the reported
incidents had no impact on the alliance's own computer
The researchers, who declined to further elaborate on the
targets' identities, released their findings as more than
20,000 security professionals gathered in San Francisco for
the annual RSA conference.
USING ADOBE, TWITTER, GOOGLE
MiniDuke attacked by exploiting recently discovered security
bugs in Adobe's Reader and Acrobat software, according to the
researchers. The attackers sent their targets PDF documents
tainted with malware, an approach that hackers have long used
to infect personal computers.
The MiniDuke hackers exploited security bugs in Reader and
Acrobat software that were first identified two weeks ago by
Silicon Valley security firm FireEye. The firm reported that
hackers were infecting machines by circulating PDFs tainted
with malicious software.
Adobe spokeswoman Heather Edell said that her firm issued a
software update to Acrobat and Reader last week that should
protect customers from getting infected by MiniDuke once they
installed that update.
The MiniDuke operators used an unusual approach to
communicate with infected machines, according to the
researchers. The virus was programmed to search for Tweets
from specific Twitter accounts that contained instructions
for controlling those PCs. In cases where they could not
access those Tweets, the virus ran Google searches to receive
its marching orders.
Officials with Twitter and Google could not immediately be
Bencsáth said he believed the attackers installed "back
doors" at dozens of organizations that would enable them to
view information on those systems, then siphon off data they
He said researchers had yet to uncover evidence that the
operation had moved to the stage where operators had begun to
exfiltrate data from their victims.
Privately, many Western government and private sector
computer experts say China is the clear leader when it comes
to state-sponsored cyber attacks to steal information -
although they rarely say so publicly and Beijing angrily
According to cybersecurity expert Alexander Kliment at the
Austrian Institute for International Affairs, however, the
closest attack to this in style was a Trojan dubbed "TinBa"
identified two months ago and used for banking fraud attacks.
That was suspected to have been built by Russian hackers, he
said, talking down the prospect of state involvement.
"There are some interesting aspects to the attacks," said
Klimburg, pointing to the use of Twitter. "(But) most of the
attack does not seem that new at all. Some of the...
'tricks', such as using pictures to hide data, are more
reminiscent of proficient students rather than government