BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Hacker 'mercenaries' linked to spying

From: Lee J <lee () riskbasedsecurity com>
Date: Thu, 26 Sep 2013 12:22:43 +1000
http://www.stuff.co.nz/technology/digital-living/9213195/Hacker-mercenaries-linked-to-Japan-South-Korea

A small, sophisticated international hacking group was responsible for a
widely publicised 2011 spying attack on members of Japan's parliament as
well as dozens of previously undisclosed breaches at government agencies
and strategic companies in Japan and South Korea, security researchers said.

Researchers at Kaspersky Lab believe they have found a squad of hackers for
hire, who contract out to governments and possibly businesses, in contrast
to recent reports on hacks said to be carried out by full-time government
employees.

"What we have here is the emergence of small groups of cyber-mercenaries
available to perform targeted attacks," said Kaspersky's global research
director, Costin Raiu, in an interview with Reuters.

"We actually believe they have contracts, and they are interested in
fulfilling whatever the contract requirements are," he said.

The espionage against members of the Japanese Diet had been blamed by that
country's officials on Chinese hackers, according to local media, but few
details had been provided. Kaspersky attributed the attack to the new
group. He was unable to say if the Chinese government was behind or
contributed to the attack.

Logs and other records show that the same group also took aim at some of
the world's biggest shipbuilders, media companies and defense contractors
including Selectron Industrial, although Kaspersky did not say which
attacks had been successful.

Selectron, which supplies US-designed components to defense and industrial
customers in Korea, Japan and elsewhere, had no immediate comment.

Kaspersky said it was working with some of the companies and with law
enforcement in multiple countries.

In a report released on Wednesday, Kaspersky said researchers had won
access to many of the command computers used in the campaigns and that logs
and other material showed a long list of intended victims.

They said that comments within the attack programs and the names of some
internal files were in simplified Chinese, but that members of the group
were also conversant in Japanese and Korean, suggesting a presence in all
three countries.

Servers were discovered in China, Japan, Hong Kong, Taiwan, Korea and the
United States.

Hacking teams often suck up enormous amounts of data with little
discrimination over long periods, aiming to filter through the trove
afterwards, according to reports suspected state-sponsored electronic
espionage.

But this team acted with great precision, targeting specific documents or
log-in credentials and then leaving the victimized network within weeks.

The report by Moscow-based Kaspersky follows a September 17 research paper
by SymantecCorp that blamed a separate, larger Chinese group for well-known
attacks on Google, EMC's RSA division, and Adobe Systems.

Kaspersky dubbed the new campaign IceFog, after the name of one of the
control servers, and said attacks typically began with emails tailored to a
specific person at a victim company.

Microsoft Word or other attachments, once opened, allowed direct access to
the attackers, who then roamed the network looking for blueprints or other
treasure. The multiple security holes that were used were previously known,
but the systems had not been patched.

There were a few dozen victims who used Windows, Raiu said. A Mac variant
of the same malicious software was detected in thousands of infections, but
was spread casually on a Chinese-language bulletin board, perhaps as a
test. He said there was no evidence that any of the Mac victims had files
copied and removed.

The hackers have changed their attack software in the past two years,
leaving fewer clues to what was done, Kaspersky said.

The objectives of the customers appeared to vary. In one case, the detailed
budget for a national army was sought, Kaspersky said, declining to name
the army. In other cases, product blueprints were sought.

Raiu saw no evidence of tampering or destruction, only the removal of
sensitive information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: