The 28th and 29th of June is going to celebrate the G20 event in Osaka, Japan. In this event, the most relevant powerful decision makers will discuss the significant topics and strategies that will influence global order. The Nation-States with cyber offensive capabilities would be highly interested in cyberattacking the IT systems of politicians, organizations or governments involved directly or indirectly. The following map shows the countries that will attend the G20 in Osaka ([1]):
Illustration 1 Members & Guests of the G20, 2019
International organizations invited to the G20:
ASEAN President (Thailand), AU President (Egypt), Chile (APEC President), Senegal (NEPAD President), United Nations (UN), International Monetary Fund (IMF), World Bank, World Trade Organization (WTO), International Labour Organization (ILO), Financial Stability Board (FSB), Organization for Economic Cooperation and Development (OECD), Asian Development Bank (ADB) and World Health Organization (WHO).
The G20 is highly targeted by APT because the agreements reached among the Nation-States could be applied in a faster way and geopolitically it could have more impact than the United Nations or other organizations or multinational institutions ([4]). The following frame shows several cyberattacks carried out by advanced threat groups against the G20 ([4]) ([5]):
| Date | Incident |
| Jan 2011 | Spear phishing emails (G20 Themed Subjects |
| Jan 2011 | Spear phishing emails (2nd time) G20 themed subjects |
| Aug 2013 | Spear Phishing emails to targeted list of 200+G20 attendees. |
| Mar 2014 | Spear Phishing emails G20 themed subjects from an APT |
| Nov 2014 | Spear phishing email sent to seven G20 users |
| Aug 2017 | KopiLuwak backdoor for use in G20-themed attack |
During the event G20 2019, there will be several working groups composed of different professionals from Ministries of each attending country with the aim of reaching agreements. All of those members would be exposed as a target to the APT groups interested in a G20 cyberattack. The working groups will be distributed in the following way ([3]):
| Promoting strong, sustainable and balanced growth | Greater provision of international public goods and resilience | Digitalization of the economy | Population aging |
| Society 5.0Trade and investmentQuality infrastructure development | Universal health coverageNatural disaster reduction and ocean waste managementResponsible lending and avoidance of the “debt trap”Global imbalanceFinancial regulationGender equalityClimate change and energy | Digitalization and jobsInternational taxation in the digital economyCrypto-assetsRule-making for the digital age | Fiscal managementLabor supply, investment and financial marketsProductivity improvement to raise potential growth |
These topics or the derivatives included therein, could be used by threat actors in their Phishing emails: file names, real infected documents, subject of emails, addresses, etc. As an example, in the last Turla cyberattack against the G20 the file name was “save the date”. “The dropper was delivered with a benign and possibly stolen decoy document inviting recipients to a G20 task force meeting on the Digital Economy. The Digital Economy event is actually scheduled for October of this year in Hamburg, Germany” ([6]). Turla targets the G20 participants and those with interest in the G20, including member nations, journalists, and policymakers.
Chinese APT has been involved in this kind of cyberespionage operations as we could see in the FireEye report in 2013 ([7]). Moviestar Campaign was supported by Ke3chang. During several weeks prior the G20 event, the threat actor leveraged emails with updates on the escalating Syrian crisis in order for the victims to download the malware. This topic was definitely the most trending topic in the G20 appointment of 2013. It was a well thought-out campaign targeting high-profile and influential government officials ([8]). The file name of the infected document was “US_military_options_in_Syria.zip.”
To avoid cyberattacks during the G20 it is very recommendable to be wary of G20 themed emails that attached have downloadable files or URL websites to check more information. Another relevant sign related to these malicious documents is when a document is downloaded and it is completely empty or it is a clignoter when it is already downloaded.
USBs are a very common way to infect IT systems, so it is important not to plug any USB and avoid using any public WiFi network as hackers could steal classified information from the guest IT system ([9]).
Conclusions
The G20 is one of the most relevant international political events as the policies extracted from this coalition could be executed in a faster timing than other organizations. APT targets this event to collect classified information from top governmental officers.
The APT presumably related to China and Russia, as Turla or Ke3chang, have notorious antecedents of targeting the members and organizations that are involved in the G20. The 20 countries would be a target for this APT, some of them would be especially important.
As can be seen on several reports from other incidents in the G20, threat actors usually use to infect their victims, file names or real documents related to the topics which are involved in the working groups of the G20.
References:
[1] Wikimedia. Map about G20. https://upload.wikimedia.org/wikipedia/commons/e/e7/G20.svg
[2] G20 What is the G20 Summit? | Summit Details | G20 Osaka Summit 2019. https://g20.org/en/summit/about/
[3] CRIES. (2019). Japan’s G20 Presidency for 2019: Potential Agendas and Issue.
[4] Kaffenberger, L.Cyber Threats to the G20.https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1517252245.pdf Video: https://www.youtube.com/watch?v=B5IifOkA4-w
[5] Infosecinstitute. Russian APT Groups Continue Their Stealthy Operations. https://resources.infosecinstitute.com/russian-apt-groups-continue-stealthy-operations/
[6] Dawson, C. Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in. https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack
[7] Boland, B. The G20 and the New Reality of Cyber Espionage. https://www.fireeye.com/blog/executive-perspective/2014/11/the-g20-and-the-new-reality-of-cyber-espionage.html
[8] Mimoso, M. China Espionage Malware Targeted Diplomats, Foreign Ministers During G20 Summit. https://threatpost.com/china-espionage-malware-targeted-diplomats-foreign-ministers-during-g20-summit/103178/
[9] SBS News. (s.f.). Spy agency warns of G20 cyber-attack risk. https://www.sbs.com.au/news/spy-agency-warns-of-g20-cyber-attack-risk
Leave a Reply