APT (Targeted attacks)

Spiegel.de provided a copy of a malicious program codenamed “QWERTY”, supposedly used by several governments in their CNE operations. Looking at the code closely, we conclude that the “QWERTY” malware is identical in functionality to the Regin 50251 plugin.

Kaspersky Lab would like to alert users in the Middle East for new malware attacks being delivered through Syrian news and social networking forums.

Perhaps one of the most interesting things we observed in the Regin malware operation are the forgotten codenames for some of its modules. We decided to analyse two of these modules in more detail.

Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.

Several days ago, our products detected an unusual sample from the Destover family.

The end of the year is traditionally a time for reflection – for taking stock of our lives before considering what lies ahead. We’d like to offer our customary retrospective of the key events that shaped the threat landscape in 2014.

In November 2014, an interesting malicious sample was uploaded to a multiscanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle.

This week, for the first time ever, the FBI issued a media FLASH to warn businesses about the destructive wiper activity that was used in the attack on Sony Pictures Entertainment.

Following the release of our report on the Regin nation-state cyber operation, questions were raised about whether anti-malware companies deliberately withheld information – and detections – at the request of governments and customers.

A sophisticated group known as Regin has targeted high-profile entities around the world. Regin is one of the most sophisticated attack platforms we have ever analysed. The ability to penetrate and monitor GSM networks is the most unusual aspect of these operations.

Kaspersky Lab products detected and neutralized a total of 1,325,106,041 threats in the third quarter of 2014. Our solutions blocked 696,977 attacks that attempted to launch malware capable of stealing money from online banking accounts.

We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worm’s different variants in 2009 and 2010. Perhaps an analysis of their activity can explain why they became “patients zero” (the original, or zero, victims).

For the past seven years, a strong threat actor named Darkhotel, also known as Tapaoux, has carried out a number of successful attacks against a wide range of victims from around the world. It employs methods and techniques which go well beyond typical cybercriminal behavior.

The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year.

This year, the actors behind NetTraveler celebrate 10 years of activity. For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.