Symantec Found China-Based Hacking Campaign Breach On Defense Firm
The mysterious group has been trying to breach satellite communications operators as part of a global cyberespionage campaign, according to security firm Symantec. The apparent aim: to take over computers installed with software that can monitor and control the satellites.
Symantec Found China-Based Hacking Campaign Breach On Defense Firm
The hacking group, dubbed Thrip, has also been found targeting a geospatial imaging provider, a defense contractor in the US, and three telecommunication operators based in Southeast Asia, Symantec said in a Tuesday report(Opens in a new window).
Microsoft also confirmed that it found signs of the malware in its systems, as the breach was affecting its customers as well. Reports indicated Microsoft's own systems were being used to further the hacking attack, but Microsoft denied this claim to news agencies. Later, the company worked with FireEye and GoDaddy to block and isolate versions of Orion known to contain the malware to cut off hackers from customers' systems.
The so-called "Hidden Lynx" cyberspy gang has waged targeted attacks since at least 2009. Attacks included water-holing campaigns in which they injected malware into legitimate websites likely frequented by their targeted industries and then sifted out their true targets, mainly from financial services firms in the U.S. Symantec says the gang was behind the VOHO water-holing attacks in June 2012, when the attackers also broke into an internal Bit9 server to gain access to the firm's file-signing infrastructure in order to sign malware. The gang is also tied to Operation Aurora, which targeted Google, Intel, Adobe, and other major U.S. firms, that was revealed in 2010.Bit9 this spring revealed details on the breach, which resulted in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software. Harry Sverdlove, chief technology officer at Bit9, revealed that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers; the breach was discovered in January of this year.Symantec says three defense industrial base organizations were attacked by Hidden Lynx, but they were Symantec customers, not Bit9 customers."On our side, we got samples from three different organizations all in the defense supply sector ... these were customers of ours who were at the targeted end of this attack. We don't know if they got breached or infected" by the malware, but the customers provided the samples to Symantec, says Vikram Thakur, a researcher with Symantec Security Response.Says a Bit9 spokesperson regarding its customers that were attacked in the wake of its breach: "The customers were not government or military entities, nor were they defense contractors or otherwise part of the DIB."Bit9 has stopped short of providing any details on its customers who were targeted. In an interview with Dark Reading earlier this year, Sverdlove said Bit9 had to hold back some intelligence because it would have inadvertently helped identify one of its customers as a target. "Certainly, the attack was a larger campaign. There was evidence of the actual purpose and long-term purpose, but we were careful not to share information that would [expose] customers," Sverdlove said.[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks.]Hidden Lynx differs from other Chinese APTs, such as APT1/Comment Crew: They appear to operate on a for-hire basis, hacking specific targets for their clients who commission them, according to Symantec, which published a whitepaper on the group and its attack methods yesterday.The group also employs "cutting edge" attack techniques, according to Symantec, including zero-day exploits and custom Trojans created for specific jobs. One Hidden Lynx team uses the Backdoor.Moudoor Trojan for the first phase attacks -- large, widespread attacks via water-holing and other methods. A second team uses Trojan.Naid, a less-prolific piece of malware, for infecting the actual targets that are sifted from the overall infected victims."We've seen them using water-holing like nobody else has. They use zero days to get people infected, and ... then certain portions of the victims are siphoned off to a totally different Trojan [Naid] of a smaller magnitude," Thakur says. "We've not seen that before" with APTs, he says.It's unclear whether the group is directly employed by the Chinese government, but their infrastructure is based in China, says Vikram Thakur, principal security response manager and researcher with Symantec Security Response. "They do have an authority sitting above them. The reason we know this is because they don't just go after one type of data. By itself, that is quite striking ... They don't seem to have a fixed mandate, so they are able to channel all sorts of stolen information to somebody else. Someone is telling them what needs to be done."Symantec estimates that group ranges from 50 to 100 individuals targeting hundreds of different targets, 24.6 percent of which are in the financial industry, 17.41 percent in education, 15.08 percent in government, 12.39 percent in ICT/IT, 6.64 percent in engineering, as well as about 4 to 5 percent in industries such as defense, engineering, and media.Nearly 53 percent of the targeted organizations with infections are in the U.S., followed by Taiwan (15.3 percent) and China (9 percent), so Symantec says U.S. firms are by far the main targets. Other nations with miniscule infections likely were collateral damage, such as a U.S. user traveling in that nation. "They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets," according to a Symantec blog post.Thakur says victims of the first Trojan are infected for at most about a week, when the attackers sift through the specific targets, likely at the behest of their contractors. "Moudoor is more popular, and most people are looking for it," so it's used in the initial attack, he says. That then masks the second-day infection from the lesser-known Naid Trojan, he says.The Hidden Lynx gang is going after intelligence on government business deals and planned talking points in diplomacy engagements, he says. "They want real intelligence from the physical world," he says.The group was also behind the infamous VOHO water-holing attacks that focused on organizations in Boston, infecting 4,000 machines via 10 legitimate websites the attackers had injected with malware, as well as other attack campaigns against energy, and an attack that included a Trojan-laden Intel driver application that infected manufacturers and suppliers of military-grade computers.Symantec's full report on Hidden Lynx is available here (PDF) for download.Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
The first Tick attacks detailed by Symantec focused on technology, aquatic engineering, and broadcasting firms in Japan. Palo Alto Networks reported seeing campaigns aimed at defense and high-tech organizations in Japan and South Korea.
A Chinese cyber-espionage group has been identified targeting at least four critical infrastructure organizations in a southeast Asian country from November 2020 to March 2021. Organizations targeted include a water company, a power company, a communications company, and a defense organization, and researchers said they found evidence that the attackers were interested in targeting information about SCADA systems.There is evidence that the attacker behind this campaign is based in China, but there is not enough information available to attribute the activity to a known actor. The threat actors made extensive use of living-off-the-land / dual-use tools, including Windows Management Instrumentation, ProcDump, PsExec, and Mimikatz. Espionage seems like the likeliest motive of these attacks, indicated by the activities of credential stealing, lateral movement, and keylogger deployment as well as the types of machines targeted in some of the organizations - most of which were involved in design and engineering. An attacker gaining access to multiple critical infrastructure organizations in the same country could potentially give them access to a vast amount of sensitive information.
An unidentified hacking group with suspected China ties is targeting critical infrastructure in Southeast Asia as part of a cyberespionage campaign to exfiltrate information about the victims' SCADA systems, says a report by security firm Symantec.
The Microsoft Threat Intelligence Center is attributing the campaign to Hafnium, a state-sponsored hacking group based in China that conducts its operations primarily from leased virtual private servers in the United States. Hafnium targets U.S.-based infectious disease researchers, policy think tanks, higher education institutions, law firms, defense contractors and NGOs in hopes of exfiltrating information.
A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. The vast majority of data breaches against businesses today begin as phishing attacks.Just a couple of famous phishing examples:The infamous Target breach back in 2013 started with a phishing email that gave attackers a foothold in Target\u2019s business systems for further attacks.Phishing appeared prominently in the Mueller Report on the 2016 presidential election hacking.Some quick phishing statistics:Over 55% organizations experienced a successful phish last year.$12 billion is the 5-year global cost of just one type of phishing attack, business email compromise (BEC).The average phishing attack costs a mid-sized business $3.86 million."}},"@type":"Question","name":"Types of Phishing Attacks","acceptedAnswer":"@type":"Answer","text":"Our database has thousands of phishing examples, but most fit into one of these 3 categories:Phishing Emails with Malicious Links: Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.Phishing Attacks with Malicious Attachments: Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.Business Email Compromise (BEC): BEC emails, also known as CEO Fraud, typically don\u2019t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a \u201cvendor\u201d or \u201cpartner.\u201d This kind of attack often uses \u2018CEO fraud phishing\u2019 where attackers pretend to be the CEO or CFO to spur quick action.","@type":"Question","name":"What Are Phishing Attack Examples Good For?","acceptedAnswer":"@type":"Answer","text":"Phishing attack examples of real phish provide highly useful intelligence that helps security teams better pinpoint attacker methods and tactics. They help protect businesses from malware-bearing phish. Because attacker campaigns change quickly, real-world phishing examples are a central component of comprehensive security. Phishing attack examples reveal the latest threat actor maneuvers as they are being launched."]}All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. 350c69d7ab