APT (Targeted attacks)

This year, the actors behind NetTraveler celebrate 10 years of activity. For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.

“Machete” is a targeted attack campaign with Spanish speaking roots. Most of the victims are located in Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain. Targets include high-level profiles, including intelligence services, military, embassies and government institutions.

GreAT has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files.

Over the last 10 months, we have analyzed a massive cyber-espionage operation which we call “Epic Turla”. The attackers have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies. We observed exploits against older (patched) vulnerabilities, social engineering techniques and watering hole strategies.

Kaspersky Lab products detected and neutralized a total of 995,534,410 threats in the second quarter of 2014. 927,568 computers running Kaspersky Lab products were attacked by banking malware. 65,118 new malicious mobile programs were detected. 2033 mobile banking Trojans were detected in this period, 1.7 times more than last quarter.

Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010.

Over the past decade, APT have intensely targeted organizations and individuals across India. Its developing base of technology, its geographical location and bounds, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for badly intentioned cyber attackers.

In 2013, together with our partner CrySyS Lab, we announced our research on a new APT actor we dubbed “Miniduke”.

Microsoft seized 22 domains previously owned by Vitalwerks, company behind dynamic dns service NO-IP

More than a year has passed since the release of our last article on HackingTeam, the Italian company that develops a “legal” spyware tool known as Remote Control System, or short, RCS.

Syria suffered yet another large-scale Internet black out that lasted for about seven hours. In contrast to previous incidents this time a cut off fiber optic cable was deemed responsible for leaving most of the country off-line.

The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services. One of the main conclusions also pointed out by research from BAE SYSTEMS, is a connection between the authors of

The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).

During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation “The Mask”.

During our monitoring of the Icefog attackers, we observed an interesting type of connection which seemed to indicate a Java version of Icefog, further to be referenced as “Javafog”.