Hackers stole thousands of EU diplomatic cables

Tens of thousands of sensitive EU documents reveal anxiety about Trump, Russia and Iran

European Commission Vice-President for the Euro and Social Dialogue,Valdis Dombrovskis

Hackers spent years infiltrating the EU’s diplomatic communications network and downloading thousands of cables that reveal concerns about an unpredictable Trump administration and anxiety regarding Russia China and Iran. The operation was disrupted only after California-based Area 1 Security firm discovered hundreds of intercepted documents on the internet.

Fortunately, information marked as confidential and secret was not affected by the three-year hack. According to company's co-founder Blake Darche, all the documents were discovered a few months ago after a malicious email was caught. After tracking the suspected campaign for some time, in November this year, Area 1 uncovered the successful infiltration of the Ministry of Foreign Affairs of Cyprus and therefore the COREU network, a key system which provides the backbone of communications between all 28 EU countries. 

Thereafter the firm followed forensic clues back to an unsecured server that had some 1,100 EU diplomatic cables. Darche, however stressed that probably tens of thousands more such documents were stolen and are yet undiscovered. He also revealed that the hackers were most likely working for China's People's Liberation Army, basing his judgment on eight years spent observing the group. 

"We estimate that the ones we found are a small fraction of the overall operation," Darche said. "From what we can see, the EU has a significant problem on their hands."

The technical data provided later on Wednesday reveals that the initial access was gained after phishing attempts successfully obtained credentials belonging to network administrators and senior members of staff. This stolen data was then used to implant malware on the network designed to create a backdoor and establish a path with a command-and-control (C2) network for data exfiltration. In one case of infection, the Remote Access Trojan (RAT) PlugX was used. This malware is able to log keystrokes, screen capture, create and delete registry entries, process control, start services, and launch remote shells.

As a result a large  number of the diplomatic cables stolen have since been leaked and published.  in one cable, for instance, EU diplomats described a meeting in Helsinki, Finland between US President Trump and his Russian counterpart Vladimir Putin, as “successful (at least for Putin).” Another intercepted message gives details of a private meeting between Chinese President Xi Jinping and European officials that took place on 16 July this year. It quotes Xi as saying China "would not submit to bullying" from Washington "even if a trade war hurt everybody". In the message he was also quoted comparing Trump’s policy against Beijing to a “no-rules freestyle boxing match.” 

In response, European Commission Vice President Valdis Dombrovskis told reporters in Brussels that the EU officials are taking the issue "extremely seriously" but it is "impossible to comment on leaks." He identified the system hit by the leaks as one managed by the European Council's secretariat, which represents EU Member States in Brussels, rather than the Commission itself. In an email, the Council acknowledged what it described as "a potential leak of sensitive information" and said it was investigating. It offered no further comment.

According to most recent information at least 100 of other institutions, including the UN, were also reportedly affected by the breach and have since been alerted.

Similar articles