Cyber spies are still using these old Windows flaws to target their victims

'Dropping Elephant' cyber-epionage group is using old and long-patched flaws as part of its campaign, but appears to be still finding some success.
Written by Danny Palmer, Senior Writer

Government officials are being targeted by very simple methods of cyber-espionage.

Image: iStock

Hackers using only the most basic forms of cyberattack have been able to successfully steal files from high-profile governmental and diplomatic targets.

A cyber-espionage operation has targeted individuals and organisations across the globe, although the vast majority of attacks have focused on Chinese government and diplomatic entities, individuals associated with them and partners of these organisations.

Cybersecurity researchers from Kaspersky Lab's Global Research and Analysis team have been investigating the "aggressive cyber-espionage activity" since February. The researchers suggest that it originates in India and that attacks are undertaken using old exploits, low-budget malware tools and basic social engineering methods.

The simple, but effective threat actor has been dubbed 'Dropping Elephant' and use emails which are sent in mass to large numbers to identify potential victims.

While the email itself doesn't contain a malicous payload, it does send a ping request back to the attackers' server when the message is opened. The ping providers the cyber-spies with information about the victim, including IP address, type of browser, the device used and its location.

Using this information, the perpetrators identify the most valuable targets and then email them again, but this time using more advanced spear-phishing techniques to trick victims into opening messages containing malicious payloads.

This can either come in the form or Word or PowerPoint documents containing malicious exploits or alternatively, being targeted with a waterhole attack via a link to a website disguised as political news provider which contains links to PowerPoint slides containing malware.

These emails may use a Word document with CVE-2012-0158 exploit, or PowerPoint slides with an exploit for the CVE-2014-6352 vulnerability in Microsoft Office: both exploits are public and have been known for a long time, but are still effective said Kaspersky.

"Even though the vulnerabilities used in the attacks were patched by Microsoft, the attackers can still rely on a social engineering trick to compromise their targets if they ignore multiple security warnings displayed and agree to enable dangerous features of the document. The content of the malicious PPS is based on carefully chosen, genuine news articles featuring widely discussed geopolitical topics, which makes the document look more trustworthy and likely to be opened. This leads many users to become infected," the researchers warned.

Once malicious software has been installed on the target's machine, it sends the attackers Word documents, Excel spreadsheets, PowerPoint presentations, PDF files and any login credentials saved into the browser.

Using these techniques, the attackers have profiled potentially thousands of potential targets across the world during the course of this year and have even managed to steal documents from dozens of individual victims in government and diplomacy.

While the majority of victims are Chinese-based, those behind the cyber-espionage have also targeted organisations in the USA, Australia, Pakistan, Sri Lanka, Uruguay and Bangladesh.

According to researchers, there are indicators - including the times attacks take place and the location of ISP addresses - that the attacks are originating from India, but there's no "solid proof" that any nation-state is actively involved in carrying out the cyber-spying.


Cybersecurity researchers say the time of malicious activity suggests attacks are originating from India

Image: Kaspersky Lab

Kaspersky Labs also warn that the perpetrators have now widened their hours of activity, suggesting that those performing the espionage have increased their headcount to carry out more attacks.

"Despite using such simple and affordable tools and exploits, the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon," said Vitaly Kamluk, Head of Research Center in APAC, GReAT, Kaspersky Lab.


Editorial standards