THE EMPIRE

STRIKES BACK

Costin G. Raiu

How APT actors fight each

other for control

MH17

I FLY A LOT, HOW ABOUT YOU?

Recent flight tragedies

QZ8501 MH370 4U9525

MH370

CYBERCRIMINALS ARE QUICK TO EXPLOIT TRAGEDIES

• Cybercriminals take advantage of news to

launch phishing attacks

• Such news includes hurricanes, earthquakes,

tsunamis, terrorist attacks or other tragedies

• The goal is to trick people looking for news

into opening malicious emails and

documents

NAIKON: MH370 ATTACKS

• The Naikon group is an APT that is very active

in Asia

• We’ve noticed a spike in the number of Naikon

attacks against the Philippines, Malaysia,

Cambodia, Indonesia, Vietnam, Myanmar,

Singapore and Nepal

• Naikon was quick to exploit the MH370 tragedy

• It launched a massive campaign to attack other

nations in APAC, notably those involved in the

search for MH370

NAIKON SPEAR-PHISHING

HUNDREDS OF EMAILS WERE SENT

AFFECTED PARTIES IN VARIOUS COUNTRIES

• Office of the President

• Navy Forces

• Armed Forces

• Office of the Cabinet Secretary

• National Security Council

• Office of the Solicitor General

• National Intelligence Coordinating Agency

• Civil Aviation Authority

• Department of Justice

• National Police

• Presidential Management Staff

Several hundred victims

Thousands of documents

stolen

THE VICTIM ASKS

THE ATTACKER REPLIES

A BIT LATER…

Directory of … Mar 31, 2014.scr

THE “HELLSING" APT

• Active since ~2012

• Spear-phishing:

archives, SCR files

• Main interests: APAC nations

• No financial gain, pure

intelligence gathering

• Probably nation-state

sponsored

Country “A”: Country “B”: Country “C”: +Embassies, ASEAN, etc…

• Ministry of Foreign Affairs

• Ministry of Tourism and Culture

• Immigration Department

• Office of the President

• National Economic and Development Authority

• Society for Quality

• Ministry of Foreign Affairs

ATTACK ANALYSIS – “HELLSING”

AM I AT RISK?

Risk factors:

• Do you receive and read hundreds of emails, open attachments?

• Do you work for/with governments in APAC?

• Have you received suspicious .scr files?

• Inside RAR/ZIP archives, with password?

To find out if you’re infected:

• Use our IOCs document

• All Kaspersky Lab products detect the Hellsing actor

PREVENTION MEASURES (GENERAL)

• Educate employees on how to avoid being ‘socially-engineered’

• Use strong anti-malware suites, best practices

• Use separate laptops for travel

• Don’t update software while traveling

• Use VPNs

• Use strong and unique passwords for each website

• Default deny policies stop many APTs dead in their tracks

CONCLUSION

• Welcome to APT wars!

• Attack / counterattack mentality

• Goals: attribution, counter-intelligence gathering

• Are they really advanced? No

• Are they really a threat? Yes!

Prediction:

we’ll see more

APT wars in the

near future

QUESTIONS?