Kaspersky identifies mysterious APT mentioned in 2017 Shadow Brokers leak

The NSA had superior insight into foreign nation-state hacking operations than many cyber-security vendors.

Hacker APT scary

Image: Sebastiaan Stam

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

In 2017, a mysterious group of hackers known as the Shadow Brokers published online a data dump called "Lost in Translation."

The data dump -- believed to have been obtained from the US National Security Agency (NSA) -- contained a collection of exploits and hacking tools, including the now-infamous EternalBlue, the exploit that provided the steam for the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks of 2017.

However, one of the nuggets in the release was a file named sigs.py, a veritable treasure trove of signals intelligence data.

This file worked as a built-in malware scanner that NSA hackers were using to scan computers they infected, looking for the presence of other APTs -- advanced persistent threats, a term often used to describe nation-state hacking groups.

In total, the sigs.py script included signatures to detect 44 other APTs. Many were unknown to the cyber-security industry at the time of the leak, back in 2017, showing that the NSA had a leg up on the private sector, being aware and capable of detecting and tracking the operations of many hostile APTs.

But in a report last month, GReAT, Kaspersky's elite hacker hunting unit, said they've finally managed to identify one of those mysterious APTs -- namely the group tracked through the sigs.py signature #27.

darkuniverse-sigs.png

Image: Kaspersky

Kaspersky says signature #27 can identify files that are part of "DarkUniverse," a malware framework, and a name they are now also using to track the APT and its activities.

Researchers say the DarkUniverse group has been active from 2009 to 2017, appearing to go silent after the ShadowBrokers leak.

"The suspension of its operations may be related to the publishing of the 'Lost in Translation' leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations," the GReAT team said today in a blog post detailing the DarkUniverse malware framework.

20 victims identified across Africa and EMEA

The company says it tracked down "around 20 victims geolocated in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates."

The victims included both civilian and military organizations, such as medical institutions, atomic energy bodies, military organizations and telecommunications companies.

However, Kaspersky experts believe the actual number of victims may be much greater, due to the lapse of time and lack of further visibility into the group's operations.

As for the DarkUniverse malware framework, Kaspersky said they found code overlap with the ItaDuke malware/APT -- which is known to have targeted China's Uyghur and Tibetan minorities.

However, it is unclear if the DarkUniverse malware is the work of Chinese hackers. More clues will be needed apart from basic code overlap, which can be easily forged and is a common occurrence.

Below are the capabilities of the DarkUniverse malware framework, a typical remote access trojan, and a pretty advanced one, according to Kaspersky's assessment.

darkuniverse-malware.png

Image: Kaspersky