In the spirit of last February’s report by Mandiant detailing the
exploits of a Chinese-government-linked hacker group, Russian IT
security giant Kaspersky Lab today released a report on another
sophisticated Chinese CYBER-espionage outfit, dubbed the Red Star APT (Advanced Persistent Threat) by the lab.
According to the lab, this advanced hacker group of about
50 people has been active since at least 2005, possibly 2004, and has
invaded the networks of more than 350 “high profile” victims ranging
from Tibetan and Uyghur freedom activists to government agencies,
embassies, universities, defense contractors, and oil companies in 40
countries using “covert surveillance” and espionage software called
NetTraveler. (The name sounds so innocent, doesn’t it?)
Specifically, NetTraveler is delivered via a malicious
Microsoft Office file inside a spearphishing email. Once installed on a
machine, it steals sensitive data from victims’ machines, records
victims’ keystrokes, and “retrieves” Microsoft Office files or PDF
documents, according to Kaspersky. The malware is often used in
conjunction with other CYBERspy tools.
One of the best details about NetTraveler that Kaspersky
listed in its report is the fact that it takes advantage of an old flaw
in Microsoft Office, one the Seattle-based company issued a patch for a
while ago. Nevertheless, poor network hygiene allowed the malware into
victims’ networks.
“It is therefore surprising to observe that such
unsophisticated attacks can still be successful with high-profile
targets,” notes the lab’s report on Red Star, pointing out that, by not
updating their software, the victims basically did some of the
attackers’ work for them — they left the digital gate unlocked. Six of
the victims were even infected by the Red October malware we told you
about last fall.
“It’s kind of shocking that government institutions,
diplomatic institutions that have been warned they were infected, they
don’t do anything about it,” said Costin Raiu, director of the lab’s
global research and analysis team, today during a CYBERsecurity forum in Washington that his company sponsored.
So, just what does the Red Star crew appear to be looking
for? Sixty percent of its targets are government embassies, militaries,
and other government agencies. The rest are predominantly research
institutions, manufacturing firms, and aerospace businesses. The victims
are also predominantly located in Asia, with Mongolia topping that list
as the host of 29 percent of victims, followed by Russia (19 percent)
India (11 percent), Kazakhstan (11 percent) and Kyrgyzstan (5 percent).
Among the information the Red Star gang is looking to steal
is data on nanotechnology, lasers, aerospace technology, drilling gear,
radio wave weapons, nuclear power, and communications tech, according
to the lab.
Red Star recruits young hackers without a lot of technical
expertise “who simply follow instructions” on how to develop and release
NetTraveler on a set of targets they are given, Raiu said today. “They
get a toolbox, they get instructions, they get the Trojans [malware] and
they get a target — 20, 25, up to 30 different targets they need to
attack. Just one single successfully completed project can actually pay
their monthly expenses.”
The lab doesn’t come out and say that Red Star APT is
affiliated with the Chinese government, only going so far as to say it
is a “medium-sized threat actor group from China.” However, a number of
factors suggest it might be. NetTraveler was developed by someone with
native Chinese language skills, and IP addresses traced by Kaspersky are
in China. What’s more, the victims are either businesses in sectors
that China wants to excel in, political groups the Chinese government
wants to keep tabs on, or government organizations. That being said, Red
Star could just be “a non-government hacker group who steals IP and
sells to whoever is buying,” Jeffrey Carr, CEO of CYBERsecurity firm TAIA Global noted on Twitter last night.
No comments:
Post a Comment