THE EMPIRE
STRIKES BACK
Costin G. Raiu
How APT actors fight each
other for control
I FLY A LOT, HOW ABOUT YOU?
Recent flight tragedies
MH17
QZ8501
MH370
4U9525
CYBERCRIMINALS ARE QUICK
TO EXPLOIT TRAGEDIES
• Cybercriminals take advantage of news to
launch phishing attacks
• Such news includes hurricanes, earthquakes,
tsunamis, terrorist attacks or other tragedies
• The goal is to trick people looking for news
into opening malicious emails and
documents
MH370
NAIKON: MH370 ATTACKS
• The Naikon group is an APT that is very active
in Asia
• We’ve noticed a spike in the number of Naikon
attacks against the Philippines, Malaysia,
Cambodia, Indonesia, Vietnam, Myanmar,
Singapore and Nepal
• Naikon was quick to exploit the MH370 tragedy
• It launched a massive campaign to attack other
nations in APAC, notably those involved in the
search for MH370
NAIKON SPEAR-PHISHING
HUNDREDS OF EMAILS WERE SENT
AFFECTED PARTIES IN VARIOUS COUNTRIES
• Office of the President
• Navy Forces
• Armed Forces
• Office of the Cabinet Secretary
• National Security Council
• Office of the Solicitor General
• National Intelligence Coordinating Agency
• Civil Aviation Authority
• Department of Justice
• National Police
• Presidential Management Staff
Several
hundred
victims
Thousands of
documents
stolen
THE VICTIM ASKS
THE ATTACKER REPLIES
A BIT LATER…
Directory of … Mar 31, 2014.scr
THE “HELLSING" APT
• Active since ~2012
• Spear-phishing:
archives, SCR files
• Main interests: APAC nations
• No financial gain, pure
intelligence gathering
• Probably nation-state
sponsored
Country “A”:
Country “B”:
Country “C”:
• Ministry of
Foreign
Affairs
• Ministry of
Tourism and
Culture
• Immigration
Department
• Office of the
President
• National
Economic and
Development
Authority
• Society for
Quality
• Ministry
of Foreign
Affairs
+Embassies,
ASEAN, etc…
ATTACK ANALYSIS – “HELLSING”
AM I AT RISK?
Risk factors:
• Do you receive and read hundreds of emails, open attachments?
• Do you work for/with governments in APAC?
• Have you received suspicious .scr files?
• Inside RAR/ZIP archives, with password?
To find out if you’re infected:
• Use our IOCs document
• All Kaspersky Lab products detect the Hellsing actor
PREVENTION MEASURES (GENERAL)
• Educate employees on how to avoid being ‘socially-engineered’
• Use strong anti-malware suites, best practices
• Use separate laptops for travel
• Don’t update software while traveling
• Use VPNs
• Use strong and unique passwords for each website
• Default deny policies stop many APTs dead in their tracks
CONCLUSION
• Welcome to APT wars!
• Attack / counterattack mentality
• Goals: attribution, counter-intelligence gathering
• Are they really advanced? No
• Are they really a threat?
Yes!
Prediction:
we’ll see more
APT wars in the
near future
QUESTIONS?