Kaspersky Lab has discovered a years-long cyber-espionage operation that victimized hundreds of high-profile targets in 40 countries. The malware, known as NetTraveler, was used for covert computer surveillance and appears to have originated in China.
The Kaspersky Global Research and Analysis Lab best known for
exposing Flame and Stuxnet - sophisticated spywares launched by
the US government - has uncovered a global cyber-espionage
network targeting the world's diplomatic, government and military
agencies.
In a report published on June 4 the malware that especially
targeted Asian countries was identified as an “advanced
persistent threat” similar to the Red October unveiled in
January.
“Based on the collected intelligence, we estimate the
[controlling] group side to about 50 individuals, most of which
speak Chinese natively and have working knowledge of the English
language,” the report said.
However, nowhere in the Kaspersky report is the Chinese
government accused of any wrongdoing and only speculation links
China to the infection software.
According to the report, NetTraveler was designed to "steal
sensitive data as well as log keystrokes, and retrieve file
system listings and various Office or PDF documents.”
The amount of stolen data discovered on the malware’s
command-and-control servers exceeded 22 gigabytes, with that
being a small fraction of the total data stolen since the rest of
it was previously downloaded by the attackers and deleted from
the servers.
The countries most frequently targeted by NetTraveler – Russia,
India, Mongolia, Kyrgyzstan, and Kazakhstan – all border China.
The first evidence of NetTraveler appeared in 2004, but the
report said the most attacks came between 2010 and 2013.
Diplomats were targeted most often, followed by government
workers, and high-level private officials then international
military contractors. Tibetan/Uyghur activists and oil industry
companies also ranked among the favorite targets.
The hackers did not use any advanced vulnerabilities and relied
on phishing attacks, which often distribute infected links via
email or social media.
“NetTraveler victims get infected through spear-phishing
attacks using Office documents which exploit two publicly known
vulnerabilities,” the report states with analysts surprised
that such unsophisticated attacks can still be successful with
high profile targets. “Although these vulnerabilities have
been patched by Microsoft, they remain effective and are among
the most exploited in targeted attacks.”
The researchers discovered that at least six NetTraveler targets
– a Russian military contractor, a government organization in
Tajikistan, and embassies in Belgium, Iran, Kazakhstan, and
Belarus – were previously hacked by the Red October campaign that
was likely launched from Eastern Europe. Kurt Baumgartner, a
senior security researcher for the Americas on the Global
Research and Analysis Team at Kaspersky, told DarkReading.com the
attempts from separate phishing schemes indicates those locations
are highly valued.
“Threat actors infiltrate victims simultaneously and may or
may not be concerned about victim overlap,” he said. “Most
likely, with these two groups in particular, the operators have a
specific set of tasks at the victim organizations. If they happen
to see another piece of malware on the target network, and it
doesn’t interrupt their operation, they just go back to
completing their assignments.”