DragonFly, Cosmic Duke and Pitty Tiger: From State-Sponsored Espionage to Campaign of Independent APTs
Cyber espionage is one of the most aggressive cyber threats for private companies and government entities. In recent years, the number of cyber attacks having this finality has increased as never before. Unfortunately, the security community is able to detect just a small part of the overall cyber attacks due to the difficulties in uncovering them. In some cases, the victims totally ignore that an external attacker has compromised their systems.
Cyber attackers ranging from cyber criminals to state-sponsored hackers are adopting techniques that are even more sophisticated. In many cases, cyber espionage operations go on for several years before they are uncovered, with devastating consequences for the victims. The last few months have been characterized by reciprocal accusations of espionage between China and the US. Both governments have significant cyber capabilities to compromise computer networks of any foreign state, stealing sensitive and top secret information and data related to intellectual property of private companies.
In May, the United States charged five Chinese military (China’s People’s Liberation Army) officers and accused them of hacking into computers of American companies in the energy sector to steal trade secrets and intellectual property.
Last week, researchers at CrowdStrike revealed that a group of hackers, members of the hacking team dubbed Deep Panda, is targeting US think thank firms with significant knowledge on the Iraqi situation. The circumstance confirms the high propensity of Chinese authorities in cyber espionage as a primary practice for the intelligence operation. Every industry is daily targeted by Chinese hackers, according to reports produced by principal security firms like Mandiant-Fire Eye and CrowdStrike. Bad actors behind the operation aren’t only state-sponsored hackers; cyber criminals also operate with the intent to sell stolen data or offer hacking as a service to their clients.
Recently the New York Times reported that a senior American official has revealed that a group of Chinese hackers violated the computer networks of a United States government agency in March. Also in these cases the investigators blame Chinese-based hackers who accessed the files of thousands of federal employees who have applied for top-level security clearances.
“Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances,” states the NYT.
The data exposed during the attack includes the list employees’ foreign contacts, personal information and previous jobs. Alleged Chinese hackers gained access to some of the databases managed by the Office of Personnel Management. The official confirmed that the incident has been assigned to an emergency response team “to assess and mitigate any risks identified.”According to the NYT, the cyber attack is very disturbing due to the target chosen by hackers. The media agency refers to a system called e-QIP used to archive personal information, including financial data, on federal employees having security clearances.
Figure – Most targeted industries in 2013 (Mandiant-FireEye)
“Federal employees who have had security clearances for some time are often required to update their personal information through the website. The agencies and the contractors use the information from e-QIP to investigate the employees and ultimately determine whether they should be granted security clearances, or have them updated,” states the NYT.
This is just one of the numerous cyber attacks uncovered this year. China and the US aren’t unique players in cyberspace. Other governments like the UK, Russia, North Korea and Iran are considered persistent collectors by principal intelligence agencies.
Another interesting aspect in the current threat landscape is the menace related to hacktivism. A growing number of governments and private companies are attacked by collectives of hackers like Anonymous with the intent to steal and publicly disclose highly confidential data. In this post we will analyze together some of the most interesting cases of cyber espionage that have occurred in the last few months. Some of the are likely to be arranged by state-sponsored hackers, meanwhile others are attributed to emerging APTs.
From Miniduke to CosmicDuke
In the beginning was MiniDuke
In February 2013, security experts from Kaspersky Lab discovered one of the most interesting cyber espionage campaign, dubbed MiniDuke, which targeted governments, private businesses, embassies, think tanks, research institutes, healthcare providers, and intelligence agencies all over the world. The bad actors behind the cyber attacks were interested in stealing sensitive information and intellectual property from victims.
Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security, also known as CrySyS, discovered that dozens of computers in government agencies across Europe were hit by unknown hackers in a series of cyber attacks that exploited an Adobe Reader 0-day exploit (CVE-2013-0640) which was used to drop a previously unknown, advanced piece of malware. The exploitation of the vulnerability allows a remote attacker to execute arbitrary code or cause a Denial of Service (memory corruption) via a crafted PDF document, exactly the attack scenario observed by the researchers. The attack scheme consolidated: hackers sent victims PDF documents tainted with malware.
The experts observed several new, unusual incidents using the same exploit, so they decided to start the investigation. The new malware was initially dubbed “ItaDuke” because it reminded researchers of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Aligheri’s Divine Comedy.
Analyzing the logs from the command servers, security researchers found 59 unique victims in the following 23 countries:
Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States.
“This is a unique, fresh and very different type of attack … the technical indicators show this is a new type of threat actor that hasn’t been reported on before,” said Kurt Baumgartner, senior researcher at Kaspersky Lab.
The complexity of MiniDuke and the nature of the targets chosen lead security experts to think that bad actors were state-sponsored hackers, but no hypothesis was formulated on the nationality of the attackers.
“Once the infected system locates the C2, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine. Once they are downloaded to the machine, they can fetch a larger backdoor which carries out the cyber espionage activities, through functions such as copy file, move file, remove file, make directory, kill process and of course, download and execute new malware and lateral movement tools.
The final stage backdoor connects to two servers, one in Panama and one in Turkey to receive the instructions from the attackers. The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the decryption subroutines” states the post on the Secure List blog.
Looking at the following image, it is possible to see that the backdoor coding style reminded experts of a malware writing group which is believed to be extinct: 29A. The value 29A in hex means 666, exactly the clue left in the code.
Figure – Clue collected by investigators
“29A published their first malware magazine in December 1996 and were active until February 2008, when ‘Virusbuster’, the last standing man announced the group’s dismissal.”
Below is the tweet sent by Constin Raiu, director at Kaspersky in MiniDuke.
Figure – Tweet from Kaspersky Lab leader
To give you the perception of the level of sophistication of the cyber threat, consider that victims were not aware of any cyber attacks against their systems since the discovery made by Kaspersky. The Czech counterintelligence agency BIS declared to Reuters that they haven’t noted suspicious activities on Czech institutions from abroad recently.
The unique security firm that noticed suspicious activities was FireEye, which detected a new malicious agent able to infect machines by circulating compromised PDFs via email.
Another interesting particular of the attack is the way the attackers were controlling the botnet. The author of the malware used a principal mechanism and a backup process in case of emergency.
The principal mechanism was based on the use of Twitter as platform to control the MiniDuke instances. The attackers used Tweets sent from specific Twitter accounts to send the command to the bot. The technique was not new and it’s very efficient due to the ability to hide “malicious traffic” to defense systems.
Figure – Miniduke command sent via Twitter
The backup mechanism implemented by attackers was also very smart. If MiniDuke is not able to receive Tweets, it executes Google searches to receive orders from C&C servers.
One year later … CosmicDuke
Exactly one year later, security researchers at F-Secure made the worrying discovery while they were analyzing a collection of documents used by attackers from a large batch of potential MiniDuke samples. The researchers created an automated tool for extracting the payloads when they noticed several files that had references to Ukraine, involved during this period in a diplomatic dispute with Russia after the Crimean Crisis. It is essential to clarify that the examples analyzed were old and aren’t related to a new series of attacks.
“These examples were found by mining old samples. The cases above are from 2013. So far, we haven’t found Ukraine-related MiniDuke samples that would have been used in 2014,” reported F-Secure.
“To investigate similar cases, we have created a tool for extracting the payloads and the decoy documents from MiniDuke PDF files. With this tool we were able to process a large batch of potential MiniDuke samples last week. While browsing the set of extracted decoy documents, we noticed several ones that had references to Ukraine. This is interesting considering the current crisis in the area,” reported Mikko Hypponen, the CTO of security research firm F-Secure.
The documents explicitly refer to political issues like the recent crisis in the Ukraine or NATO informative in the attempt to circumvent the victims. F-Secure reported, for example, the existence of a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine.
“The letter is addressed to the heads of foreign diplomatic institutions in Ukraine. When translated, it’s a note regarding the 100th year anniversary of the 1st World War,” states Hypponen.
Figure – Document analyzed by F-Secure
The document seems to confirm that bad actors behind the campaign have had access to the Ukrainian Ministry of Foreign Affairs, anyway that they have a familiarity with the local language. It’s difficult to speculate on the responsibility of the attacks and the real nature of the attackers, as explained by F-Secure:
“We don’t know where the attacker got this decoy file from … We don’t know who was targeted by these attacks. We don’t know who’s behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).”
In April 2014, The experts at F-Secure identified another malware family that was using the same loader as MiniDuke stage 3. The malicious code is an information-stealer belonging to the Cosmu malware family. Cosmu malware has been around for years, but the analysts made an interesting discovery on the loader adopted by the attackers.
Researchers analyzing MiniDuke loaders were surprised to notice that the malicious executable being decompressed and loaded into memory was very similar to the Cosmu family of information-stealers. This means that Cosmu is the first malware family that experts have seen to share code with MiniDuke.
“Moreover, we found that the loader was updated at some point, and both malware families took the updated loader into use. Since Cosmu is the first malware known to share code with MiniDuke, we decided to name the samples showing this amalgamation of MiniDuke-derived loader and Cosmu-derived payload as CosmicDuke,” states the official post from F-Secure.
The malware researchers concentrated their efforts on the study of Cosmu samples that share code with MiniDuke, discovering that some of these are older than the oldest publicly documented MiniDuke samples, implying that the shared code might have been originally used by Cosmu, not MiniDuke.
Figure – MiniDuke-Cosmo loader analysis
The experts noticed that the code used by CosmicDuke to exploit the CVE-20110611 vulnerability appears to be derived from this proof of concept code that was made available in early 2011:
The discovery opens new interesting scenarios for intelligence analysts. Bad actors behind the CosmicDuke campaign specifically crafted filenames and content files to lure victims that, in the case of the sample analyzed by F-Secure, are located in Ukraine, Poland, Turkey, and Russia. The CosmicDuke gang used the language of the targets and included details and information related to specific events of interest for victims.
The CosmicDuke campaign targeted Windows machines. Victims were lured into opening a malicious PDF file containing an exploit or a Windows executable whose filename is crafted to appear like a legitimate document or image file. Once the victim opens CosmiDuke malware, the attacker is able to remotely control the targeted machine, and as many other similar data-stealers, the malicious code includes a keylogger, a screen grabber, password stealers for several instant messaging platforms, e-mail and web browsing programs, and clipboard stealer.
Figure – CosmicDuke attack scenario
As explained by the experts at F-Secure in a report on the CosmicDuke campaign, the malware also allows the attacker to drop and execute further malicious codes on the infected systems. Another interesting feature is the capability of CosmicDuke to steal digital certificates.
“Cosmu exports certificates and, if available, the associated private keys from system store by calling PFXExportCertStoreEx. The malware uses the password ‘saribas’ to encrypt the exported data,” states the report.
Once CosmicDuke collects the information, it is sent out to remote servers via FTP.
According to the investigation conducted by Kaspersky Lab, hackers behind MiniDuke were extending their espionage activities in Azerbaijan, Greece and Ukraine.
Figure – CosmicDuke map from Kaspersky
I have found very interesting the results of the investigation conducted by experts of Kaspersky Lab. The team of researchers was able to study a Command and Control server used in the CosmicDuke campaign. The researchers discovered that the servers were used not only to control the bot on the infected machine, but also to conduct other hacking operations. The C&C server was hosting a collection of publicly available hacking tools for scanning targets and compromising them.
The experts at Kaspersky Lab also highlighted that while the old style MiniDuke campaign mainly targeted government entities, the new wave of attacks based on CosmicDuke also hit diplomatic organizations, the energy sector, telecom operators, military contractors, and individuals involved in the traffic and selling of illegal and controlled substances like steroids and hormones.
“It’s a bit unexpected – normally, when we hear about APTs, we tend to think they are nation-state backed cyber espionage campaigns. But we see two explanations for this. One possibility is that malware platform BotGenStudio used in Miniduke is also available as a so-called ‘legal spyware’ tool, similar to others, such as HackingTeam’s RCS, widely used by law enforcement. Another possibility is that it’s simply available in the underground and purchased by various competitors in the pharma business to spy on each other,” commented Vitaly Kamluk, Principal Security Researcher at the Global Research & Analysis Team, Kaspersky Lab.
CosmicDuke servers had a long list of victims (139 unique IPs) starting from April 2012. Its presence was observed all over the world including Georgia, Russia, US, Great Britain, Kazakhstan, India, Belarus, Cyprus, Ukraine and Lithuania.
Who is behind the CosmicDuke campaign?
As usual, the problem of attribution is hard to solve. Security experts used to collect information that could help them to profile the attackers. The language used by hackers in the source code of malicious agents and working days/working hours of the bad actors could provide further information on the attackers. The malware specialists verified that attackers use English in several parts of the source code, but there are some strings (e.g. www.mirea.ru, e.mail.ru, gmt4, c:documents and settingsвладимирlocal settings…) in a block of memory appended to the malware component used for persistence which led experts believe they are not native English speakers. Analyzing the daily activities of the bad actors, the experts discovered the bad actors behind MiniDuke/CosmicDuke follow the classic working time Mon-Fri, being operative between 6am-7pm GMT.
Figure MiniDuke/Cosmic Duke Working Days
Figure – MiniDuke/CosmicDuke working hours
The Dragonfly Campaign
One of the most disconcerting truths related to cyber espionage is that bad actors don’t exclusively address data stored in databases or networks of their victims. Attackers are also targeting critical infrastructure for espionage and sabotage.
The energy sector is within the most targeted industries. According to security experts, more than one thousand companies in Europe and North America are constantly under attack. Contrary to what is commonly believed, ICS/SCADA systems are the privileged targets of cyber attacks.
Security firm F-Secure was one of the first companies to trigger the alert. A few weeks ago its experts discovered a series of attacks on different industry sectors based on the Havex Malware family. Havex is a general purpose Remote Access Trojan (RAT) which uses a server written in PHP.
Figure – Havex source code
“This adversary uses two primary implants: one dubbed HAVEX RAT by CrowdStrike and another called SYSMain RAT. These implants are closely related with several TTP overlaps and clear code reuse, particularly within secondary tools associated with the HAVEX RAT. It is possible that the HAVEX RAT is itself a newer version of the SYSMain RAT, although both tools are still in use concurrently and have been operated by the attackers since at least 2011. The investigation into this actor uncovered more than 25 versions of the HAVEX RAT, with build times up to October 2013. Each version will install itself as DLL with a name beginning ‘TMPprovider’, such as TMPprovider037.dll for version 37,” reported a blog post published by Crowstrike security firm.
Experts at F-Secure detected an anomalous use of the Havex malware in a series of attacks on Industrial Control Systems (ICS). The cyber criminals customized the popular RAT. The attackers have trojanized the software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed.
The attacks detected by the experts appeared as surgical operations. Bad actors adopted the “watering-hole attack” scheme which involved ICS vendor site as intermediary target. The SCADA vendors targeted by the Havex campaign are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems, and the third one develops high-precision industrial cameras and related software. F-Secure isolated instances of Havex which include a data-harvesting component. This circumstance suggests that the criminals behind the campaign were interested in collecting information on the ICS/SCADA systems in the targeted infrastructure.
“Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet … Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet,” states F-Secure.
The Havex RAT is distributed at least through the following channels:
Trojanized installers planted on compromised vendor sites
This circumstance is very critical due to the numerous problems related to the patch management for the system used in critical infrastructure, for which administrator privileges favor the H24 availability instead of security. The security experts isolated 88 different instances of Havex RAT used to infect network hosting ICS systems. According to F-Secure its team has analyzed 146 command and control (C&C) servers and traced nearly 1500 IP addresses. The majority of the victims is located in Europe, and it includes educational institutions, industrial application or machine producers, and companies that specialize in structural engineering. Once it has infected the targeted system, the trojanized software installer will drop and execute the malicious code, which allows the attacker to install a backdoor to gain complete control of the PC.
A few days later, security experts at Symantec confirmed the existence of ongoing cyber espionage campaigns targeting organizations located in the US, Italy, France, Spain, Germany, Turkey, and Poland, They dubbed the bad actors behind the attacks the “Dragonfly” gang.
Figure – Dragonfly target distribution
Different from the popular Stuxnet virus, which was primarily designed for sabotage purposes, the malware used by Dragonfly gangs were designed to allow espionage and persistent access to the targeted systems. The attackers are demonstrating a primary interest in data exfiltration from targeted industrial systems. Despite that the motivation for such attacks is still unclear, the experts at Symantec suspect that Dragonfly APT is a state sponsored group of hackers.
The Dragonfly group, also know by other vendors as Energetic Bear, seems to have been operating since at least 2011, when it targeted defense and aviation companies in the US and Canada. Only in a second phase has Dragonfly focused its efforts on US and European energy firms in early 2013.
Symantec promptly informed the victims and national authorities, including Computer Emergency Response Centers (CERTs).
“The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries,” states a blog post from Symantec.
Dragonfly hit energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers with its cyber espionage campaign.
Also in this case, bad actors behind Dragonfly have used different attack techniques, including watering hole attacks, spear-phishing emails and trojanized ICS software updates as observed in the case of Havex RAT.
According to Symantec, the Dragonfly gang is well resourced, and it can count on numerous malicious tools to conduct its campaign. The two main malware tools used by atatckers are the Backdoor.Oldrea and the Trojan.Karagany.
“Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers,” states Symantec.
Small Emerging Groups, Worrying Cyber Threats
Although cyber espionage is usually conducted by a well-structured group of hackers with high cyber and financial capabilities, a worrying phenomenon has grown in the last years; groups of hackers, apparently not linked to governments nor to large criminal organizations, are conducting dangerous and efficient cyber operations, which usually target private entities to steal intellectual property.
This is the consecration of the model of sale known as hacking-as-a-service. Groups of hackers offer for sale/rent their hacking products/services to private companies and other criminal gangs that intend to hit their competitors or any other target.
Security experts at AIRBUS Defence & Space – CyberSecurity unit have recently disclosed the results of their investigation on a new APT dubbed Pitty Tiger involved in a cyber espionage campaign which targeted mainly private companies. The victims belong to different sectors, from telco to defense, and also at least one government.
The principal problem for cyber espionage campaigns is that they go undetected for years, causing serious problems to the victims. In this specific case, the Pitty Tiger group has been active since at least 2011. The Pitty Tiger group has the ability to stay under the radar, but that is not considered as mature as other ATPs monitored by the AIRBUS Defence & Spaces team. For this reason, the experts don’t believe that Pitty Tiger is a state-sponsored group of attackers.
According to the revelation made by the analysts, the group is an opportunistic collective that sells its services to probable competitors of their targets in the private sector. It is likely that the Pitty Tiger group is a small team compared to other APT groups, and also the number of targeted entities is limited.
The bad actors behind the Pitty Tiger group have used many different malware from their arsenal. Some of them were developed by the APT for its exclusive usage, but they haven’t exploited any 0-day vulnerability.
“The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment. The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware. The Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons. They have also been seen using the HeartBleed vulnerability in order to directly get valid credentials,” reports the blog post published by AIRBUS.
The malicious codes used by the hacking team are:
MM RAT (aka Troj/Goldsun-B)
Paladin RAT (a variant of Gh0st RAT)
Figure – Pitty Tiger APT
Who is exactly behind an APT campaign?
It is very difficult to understand it, but the analysis of the following indicators seems to confirm the Chinese origin of the Pitty Tiger team:
Several Chinese vulnerability scanners have been launched against targets;
Several Chinese tools have been used and found on the c&c servers of the attackers: 8uFTP, a Chinese version of calc.exe, etc.;
Two of the used RATs have been developed by the same developers: CT RAT and PittyTiger RAT. The controllers for these RATs show Chinese language;
Several binaries used by the attackers show either “Chinese – China” or “Chinese-Taiwan” language ID in their resources;
A decoy Word document has been found, written in Chinese language;
The IP addresses used for the hosting of the c&c domains are mainly located in Taipei (Taïwan) and Hong Kong City (Hong Kong Special Administrative Region, PRC).
A report has been published on the specific APT. The document provides indicators of compromise which could be used by security experts for the identification of further operations of the Pitty Tiger team.
Cyber espionage is considerably one of the most dangerous cyber threats. The impact of espionage campaigns on government entities and private companies is causing serious damages. The security of targets is menaced by continuous incursions of hackers with different motivations.
In this post, we have first examined campaigns that are likely attributable to state sponsored hackers, and we also mentioned the operations of independent groups of hackers.
Cyber espionage conducted by state sponsored hacking is considered very dangerous due to financial support provided by governments, which recruit skilled professionals. In these contexts, the most dangerous cyber espionage tools are designed to ensure to the attackers a persistent presence on the compromised infrastructures going undetected for a long time, for example exploiting a zero-day flaw in the attacks.
As explained in the last part of the post, another worrying phenomenon is the emergence of small groups of cyber criminals which are offering hacking services to private companies and other criminal gangs.
The groups in many cases are involved in cyber espionage campaigns like the Pitty Tiger APT that mainly target private industries.
I consider the operation of such groups dangerous exactly like more mature APTs, which is why information sharing and threat intelligence are crucial activities to mitigate the incoming cyber threats.