New Cyberespionage Attack Targets Russia

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240144243/new-cyberespionage-attack-targets-russia.html

By Kelly Jackson Higgins
Dark Reading
Dec 11, 2012

China is often considered synonymous with cyberespionage, but what about 
Korea? A new targeted attack campaign with apparent Korean ties has been 
stealing email and Facebook credentials and other user-profile 
information from Russian telecommunications, IT, and space research 
organizations.

FireEye says the so-called "Sanny" attacks appear to indicate that Korea 
may be home to the command-and-control and other communications for the 
malware. Researchers didn't specify whether either North or South Korea, 
but say that around 80 percent of the victims in the attacks are Russian 
organizations.

Ali Islam, security researcher for FireEye, says it's possible that 
Korea is being used a proxy for the attack. But there are a few clues of 
a Korean connection: the SMTP email server and command and control 
servers are based in Korea; the "Batang" and KP CheongPong" fonts used 
in the lure documents are Korean; a Korean message board is used for the 
C&C; and the Yahoo email account used in the attacks, "jbaksanny" is 
connected to an empty Korean Wikipedia page created by a user named 
Jbaksan.

"We believe both countries [North and South Korea] have cyberattack 
capabilities. The attacker has done a great job of hiding his/her self 
by choosing a public forum as normally with APTs --in contrast to normal 
malware-- you don't need a long-lasting CnC," Islam says.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org