The APT wars: Hackers raise swords and charge - at each other

Naikon was in for more than it bargained for when the group decided to strike another threat actor.

ramnit-header-imagecredsymantec.jpg
Symantec

Cyberespionage group Naikon has launched a number of attacks in Asia, but in the first known example of a counterattack campaign, was in for more than it realized when the group decided to hit out at another threat actor.

Kaspersky Labs researchers uncovered what could be a new trend in the cybercrime space -- dubbed the advanced persistent threat (APT) wars. What started the trend? The targeting of one cybercriminal group by another -- and a furious counterattack in response.

On Wednesday, the security firm released details on the attack campaign, saying that Naikon subjected a smaller threat actor, Hellsing, to a spear phishing attack. The group, while considered "technically unremarkable" by Kaspersky, nevertheless received the email -- containing a malicious attachment -- with displeasure. When the group questioned its authenticity and was left dissatisfied, Hellsing then returned the phishing campaign -- containing Naikon's own malware.

Naikon's target first emailed the sender back, requesting confirmation of the email and where it was sent from. The attacker, familiar with the internal structure of the target's government agency, replied -- claiming they worked for the secretarial division of the government and was instructed to send the email by management.

Unimpressed, the Hellsing member sent back the following reply, containing a password-protected .RAR archive, which "allows it to safely bypass malware scanners associated with the free email account used by the attackers," according to Kaspersky.

screen-shot-2015-04-15-at-12-01-43.png

Within the archive was two decode .PDF files and one .SRC file, of which the latter was a specially-prepared backdoor intended for Naikon.

While the method of counterattack suggests that Hellsing was keen to gather surveillance data on its attacker, the move also alerted Kaspersky to Hellsing's existence. Further tracking revealed a trail of spear phishing campaigns designed to deploy malware among different organizations in order to spy on them. If a victim opens the attachment, a custom backdoor capable of downloading and uploading files is created.

According to the security firm, roughly 20 organizations have been targeted by Hellsing. The Hellsing group is currently active in the APAC region and most often targets those in the South China sea area, Malaysia, the Philippines and Indonesia. Government and diplomatic targets are often the focus of the group's activities. In comparison, Naikon is one of the most active APT groups in the region and is a well-known threat actor for its own custom backdoor, dubbed RARSTONE.

Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab commented:

"The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting -- "Empire Strikes Back" style, is fascinating. In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack."

While the Hellsing group is relatively small in comparison to other advanced persistent threat groups such as Equation, its size has meant the cybercriminals have stayed under the radar for a long time. The security firm suggests that businesses avoid being caught out by Hellsing by staying wary of email attachments from strangers, using modern operating systems which are fully patched and keeping third-party apps -- such as Microsoft Office and Java -- fully up-to-date.

See also: Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded

In related news, this week Kaspersky released a repository of CoinVault ransomware decryption keys for free. A database containing the keys was discovered by the National High Tech Crime Unit (NHTCU) and contains vectors, kets and bitcoin wallets. The public can now access the keys online in order to avoid paying the fee ransomware demands to unlock and decrypt PC systems.

Interested? Ransomware strain breaks, victims avoid payment

Read on: In the world of security

Read on: Fixes and Flaws