China link found to virus targeting diplomatic offices

The computer virus used in targeted attacks against Japanese diplomatic missions overseas was designed to transmit identification data and other information from infected computers to two servers in China, it has been learned. One of the two servers in China is registered at a domain that was also used in cyber-attacks against online search giant Google in 2009-2010, sources said Thursday. This and other circumstantial evidence suggests the virus is part of international espionage efforts targeting classified Japanese diplomatic information. The virus has infected dozens of computers at Japanese diplomatic offices in 10 countries, including the Japanese Embassy in South Korea, since this summer. According to sources close to the case, the virus is called "BKDR_AGENT.MOF." The virus can make infected personal computers transmit information, such as user IDs and Internet protocol addresses, to outside parties. The virus can also forcibly activate software programs on infected PCs. Several servers were assigned as destinations for data transmissions caused by the virus, and at least two have been found to be located in China. The two servers are registered at rental domains administered by a Chinese company. The sources said one of the domains has been involved in numerous previous cyber-attacks, including the spate of cyber-attacks known as Operation Aurora that targeted about 30 companies between 2009 and 2010. Google was one of the companies attacked. People who wish to use the domain must fill out an online application in Chinese. Most users of the domain therefore have knowledge of the Chinese language, the sources said. It has also been discovered that the virus is designed to direct infected computers to attach codes to its data transmissions, one of which is "mofa." MOFA is a common acronym for the Ministry of Foreign Affairs, the official name of the Foreign Ministry.

About the author: Lee J

Security Analyst, Developer, OSINT,

Comments are closed.