According to a new report from FireEye, attacks originating in China have compromised nine different government ministries, beginning in August 2013. Advertising new information about the Syrian crisis, the infected emails came in advance of a G20 meeting about the crisis, suggesting the motives had more to do with espionage than a run-of-the-mill phishing attack. The attacks also specifically targeted the nations' foreign ministries, suggesting its objective was primarily diplomatic. Although FireEye's report leaves the countries anonymous, The New York Times has named the Czech Republic, Portugal and Hungary as among the nations compromised.
Once infected, the malware is designed to gather system and network information, then systematically harvest login credentials, allowing the infection to spread. FireEye briefly gained access to one of the attackers Command-and-Control servers, allowing them to watch the spread of the malware in real time, although they lost access before the program began collecting information, leaving open the question of what the attackers were hoping to discover.
Although the report offered no definitive link to the Chinese government, FireEye found conclusive evidence that the attacks had originated in China and was being operated by Chinese speakers. In the past, similar attacks have been linked back to a Chinese army base, and it's suspected these latest attacks have a similar origin.