At 3:10 a.m. on October 27, 2011, a less-than-diplomatic email landed in the inboxes of attendees at the G20 Summit, an annual gathering of heads of government and other representatives from the world’s top economic powers. “Ladies and Gentlemen,” the email began, “First Lady Nude Photos.” It was followed by a link that promised to open a stash of nude photos of France’s then-first lady, Carla Bruni. The link was also spring-loaded with malicious code that could infiltrate the device of a G20 delegate, opening a pathway to a wider network of devices. The sender needed only one hot blooded delegate to potentially infect an entire delegation.
It’s not hard to imagine the hacker or hackers’ motive. The G20 Summit draws leaders from 20 nations that comprise 86% of the world’s wealth. They bring in their wake some 4,000 delegates from various ministries, businesses and NGO’s, all of whom will converge on Brisbane, Australia Saturday for a weekend of handshakes and hobnobbing. They will also carry in their smartphones and laptops reams of sensitive communications, including agendas, talking points and trade secrets — a cornucopia of state interests that could offer rival nations an edge in future negotiations or standoffs.
It might sound a bit amateurish to send global bigwigs the same crudely-written emails that might turn up in the average joe’s spam folder, but security experts say hackers try every trick in the book to infiltrate the summit.
“Some groups that look spammy are the exact same groups that can send out extremely well-crafted emails,” says Nart Villeneuve, a senior researcher at the California-based security firm FireEye. The crude emails are often just the opening shot in a campaign that can extend to tainted memory sticks and emails that are indistinguishable from official G20 correspondence. FireEye researchers made headlines after last year’s G20 Summit in St. Petersburg, Russia when they exposed a concerted attack against five European foreign ministries. In that case, an email attachment labeled “US_military_options_in_Syria” installed malicious code as soon as the recipient opened the official-looking file.
Villeneuve had a front row seat to the St. Petersburg breach. His team traced the malware back to a command-and-control server in China, where they observed a ring of hackers known as “Ke3chang” in action. For a brief, two week window, Villeneuve’s team saw the hackers issue commands to search for files and open backdoors to other computers of interest.
“The attackers don’t have to compromise a high level diplomat first,” Villeneuve said. “It can begin with anyone on that network.”
The St. Petersburg hack wasn’t the first time such a global gathering had been targeted: During the 2012 Olympics, for example, tainted schedules circulated among the attendees. And in the run up to 2011 G20 Summit, malware-ridden files infected roughly 150 computers in the French Ministry of Finance. “It’s probably the first time it’s been as spectacular as this,” said France’s Budget Minister François Baroin at the time.
But the high-profile hacks could very well get more spectacular until all attendees at sensitive events like the G20 collectively shore up their online security. Each delegation crafts its own security plan, but in an ideal world, says FireEye Threat Intelligence Manager Jen Weedon, attendees would use disposable phones and laptops that can be wiped clean of all content before and after the conference. Still, many attendees come from countries that may not have the interest or resources to take such measures, which many may view as extreme or unwarranted. “You can’t expect them to become security experts overnight,” Weedon says. But G20 delegations ignore the security risks at their own peril: already, Weedon says, Tibetan activists at this year’s conference have been targeted by a malware-infected document related to protest information.
Ultimately, the problem of hackers running amok at global gatherings runs deeper than technology alone. All hacking scams exploit human vulnerabilities — lust, credulity, curiosity — that can’t always be solved with a smarter spam filter. “It takes a human to click on something,” observes Weedon, a warning that this weekend’s assemblage of power players may or may not heed when the promise of official correspondence or other tempting links land in their inboxes. They’re only flesh and blood, after all.