Commercial Espionage Virus

It’s designed to steal blueprints and send them to China.

Note that although this is circumstantial evidence that the virus is from China, it is possible that the Chinese e-mail accounts that are collecting the blueprints are simply drops, and the controllers are elsewhere on the planet.

Posted on July 3, 2012 at 6:22 AM8 Comments


Clive Robinson July 3, 2012 7:05 AM

As has often been said before China is a conveniant place to use as a drop off as is one of those ex Russian Republics.

This particular malware is actualy an indicator that things are maturing in some places.

As a “fire&forget” system as opposed to “directed attack” it is probably only the second such specialised vector to make it into the general press.

Jim Kingston July 3, 2012 7:17 AM

Blueprints! Nobody makes blueprints any more! Your lucky to even get drawings these days (though I’ve yet to see geometrical tolerances done well in 3D).

Jim July 3, 2012 7:23 AM

It is true that attribution can’t be known for certain, but the circumstance isn’t helped by the fact that GhostNet sent its data to China, and intelligence collected by GhostNet ended up in the hands in Chinese police.

Mark Boss July 3, 2012 11:13 AM

I don’t know if Autocad is as popular as it used to be, but whoever is collecting these blueprints might find themselves flooded with data. Unless they have some way to sort out the specific designs they’re looking for, it sounds like they’ll just have a big, unuseable pile.

Wael July 3, 2012 11:34 AM

I wonder why Peru. Maybe its because of this?

“Later this year a consortium of Brazilian construction and energy companies plans to start building a $4 billion hydroelectric dam on the Inambari River, which starts in the Andes and empties into the Madre de Dios River near Puerto Maldonado. When the dam is completed, in four to five years, its 2,000 megawatts of installed capacity—a touch below that of the Hoover Dam—will make it the largest hydroelectric facility in Peru and the fifth-largest in all of South America.”

Isaac July 4, 2012 6:42 AM

I’d say that the fact that Chinese authorities have cooperated with the company is a good and interesting development.

Unusually, Chinese authorities have cooperated with efforts to investigate and disable the virus.


Government experts helped follow the path taken by the stolen drawings to their final destination in Chinese email accounts, which have been blocked.

jacob July 11, 2012 12:01 PM

@Bruce. I would imagine that the C&C is not in the real controlling country. Scatter them about, preferably where big brother can’t really snoop to the full advantage…ie. flame. Bogus certs, servers, tor (or alts), etc. Nation state and criminal enterprises can use a lot of the same tricks…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.