Feeds

Cyberspy attacks targeting Russians traced back to UK and US

Re-writing the script

Internet Security Threat Report 2014

Security researchers at Trend Micro have discovered a sophisticated cyberspy network geared towards attacking systems in Russia and neighbouring countries.

Cyberespionage efforts against either human rights activists or high-tech Western firms have been going on for a few years. Examples include the Operation Aurora attacks against Google and more recent attempts to hack into the networks of defence contractors such as Lockheed Martin and Mitsubishi Heavy Industries.

Many of these attacks are blamed on China, an accusation the country routinely denies, in part by arguing that it is a victim rather than a perpetrator of such attacks.

The so-called Lurid attacks identified by Trend Micro have hit 47 victims including diplomatic missions, government ministries, space-related government agencies and other companies and research institutions in 61 different countries. But what really sets the attacks apart is that most of the victims are in Russia, Kazakhstan and Vietnam instead of the US or Western Europe. Curiously the common servers running the attack are located in the UK and US.

The Lurid Downloader (AKA Enfal Trojans) that features in the attack has previously been used against Western victims and the Tibetan community. This time around the malware is been pushed towards potential victims using either booby-trapped Adobe files or .RAR archive files containing Trojan code that poses as a screensaver. The attack relies of well-known vulnerabilities, one of which dates back to 2009, rather than zero-day attacks.

Infected systems phone home to command-and-control servers and upload particular documents and spreadsheets. Although Trend does not have access to the contents of files, it has determined the type of data beamed back to base in the more than 1,400 files extracted in the attacks.

"Although our research didn’t reveal precisely which data was being targeted by the attackers, we were able to determine that, in some cases, they attempted to steal specific documents and spreadsheets," writes Trend Micro researcher Nart Villeneuve.

Rik Ferguson, director of security research & communication EMEA at Trend Micro, told El Reg that some of the affected sites used Trend Micro's technology, which helped detect the attack. subsequent detective work led researchers back to two command and control servers, hosted by different ISPs (one in the US and one in the UK). Beyond saying the attack was likely to be motivated by cyberespionage, rather than profit, Ferguson was reluctant to speculate on who might be behind the attack or their motives. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.