APT (Targeted attacks)

The Naikon APT was one of the most active APTs in Asia. The attackers targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China. For years they have mined victims, apparently in search of geo-political intelligence.

CozyDuke (aka CozyBear, CozyCar or “Office Monkeys”) is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims.

One of the most active APT groups in Asia, and especially around the South China Sea area is “Naikon”. Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.

There is currently some buzz about the Volatile Cedar APT activity in the Middle East, a group that deploys not only custom built RATs, but USB propagation components, as reported by Check Point.

Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.

EquationDrug represents the main espionage platform from the Equation Group. It’s been in use for over 10 years, replacing EquationLaser until it was itself replaced itself by the even more sophisticated GrayFish platform.

Over the years we have tracked multiple campaigns by an advanced threat actor we call Animal Farm. The group has targeted a wide range of global organizations.

Security researchers recently announced that that the official website for the Korean Central News Agency of the Democratic People’s Republic of Korea has been serving malware disguised as a Flash Player update.

In 2009, an international scientific conference was held in Houston. The organizers sent out a post-meeting CDROM. The disk used in the Houston attack represents a rare and unusual operation for the Equation Group.

In this post, let’s examine several additional plugins more closely, targeting details around BE2 Siemens exploitation, and some of their unusual coding failures.

The Desert Falcons are a new group of Cyber Mercenaries operating in the Middle East; there are more than 3,000 victims in 50+ countries around the world, more than 1 million files were stolen including diplomatic, military and financial documents.

During our 2014 research into the Equation group, we created a special detection for the group’s exploitation library, codenamed “PrivLib”. To our surprise, this detection triggered a worm from 2008 that used the Stuxnet LNK exploit to replicate, codenamed Fanny.

The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. It is probably one of the most sophisticated cyber attack groups in the world.

The main difference with other APT attacks is that Carbanak attackers do not see data but money as their primary target. Losses per bank range from $2.5 million to approximately $10 million. Carbanak is the most successful criminal cyber campaign we have ever seen.

Spiegel.de provided a copy of a malicious program codenamed “QWERTY”, supposedly used by several governments in their CNE operations. Looking at the code closely, we conclude that the “QWERTY” malware is identical in functionality to the Regin 50251 plugin.