APT (Targeted attacks)

During our 2014 research into the Equation group, we created a special detection for the group’s exploitation library, codenamed “PrivLib”. To our surprise, this detection triggered a worm from 2008 that used the Stuxnet LNK exploit to replicate, codenamed Fanny.

The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. It is probably one of the most sophisticated cyber attack groups in the world.

The main difference with other APT attacks is that Carbanak attackers do not see data but money as their primary target. Losses per bank range from $2.5 million to approximately $10 million. Carbanak is the most successful criminal cyber campaign we have ever seen.

Spiegel.de provided a copy of a malicious program codenamed “QWERTY”, supposedly used by several governments in their CNE operations. Looking at the code closely, we conclude that the “QWERTY” malware is identical in functionality to the Regin 50251 plugin.

Kaspersky Lab would like to alert users in the Middle East for new malware attacks being delivered through Syrian news and social networking forums.

Perhaps one of the most interesting things we observed in the Regin malware operation are the forgotten codenames for some of its modules. We decided to analyse two of these modules in more detail.

Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.

Several days ago, our products detected an unusual sample from the Destover family.

The end of the year is traditionally a time for reflection – for taking stock of our lives before considering what lies ahead. We’d like to offer our customary retrospective of the key events that shaped the threat landscape in 2014.

In November 2014, an interesting malicious sample was uploaded to a multiscanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle.

This week, for the first time ever, the FBI issued a media FLASH to warn businesses about the destructive wiper activity that was used in the attack on Sony Pictures Entertainment.

Following the release of our report on the Regin nation-state cyber operation, questions were raised about whether anti-malware companies deliberately withheld information – and detections – at the request of governments and customers.

A sophisticated group known as Regin has targeted high-profile entities around the world. Regin is one of the most sophisticated attack platforms we have ever analysed. The ability to penetrate and monitor GSM networks is the most unusual aspect of these operations.

Kaspersky Lab products detected and neutralized a total of 1,325,106,041 threats in the third quarter of 2014. Our solutions blocked 696,977 attacks that attempted to launch malware capable of stealing money from online banking accounts.

We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worm’s different variants in 2009 and 2010. Perhaps an analysis of their activity can explain why they became “patients zero” (the original, or zero, victims).