Cyber espionage campaign targets energy companies
Signs suggest remote access trojan by group that attacked RSA
Computerworld - Hackers using a Remote Access Trojan (RAT) named Mirage have been engaged in a systematic cyber espionage campaign against a Canadian energy company, a large oil firm in the Philippines and several other entities since at least this April, Dell's SecureWorks Counter Threat Unit says.
The campaign is the second one targeted at oil companies to be discovered by SecureWorks this year. In February, researchers at the firm discovered attackers using remote access tools similar to Mirage to target several oil companies in Vietnam. That campaign also targeted government agencies in several countries, an embassy, a nuclear safety agency and multiple business groups, according to SecureWorks.
The domains for three of the command and control (C&C) servers used to control Mirage and for several of the C&C servers used in the February campaign, appear to belong to the same individual or group of individuals, SecureWorks said.
Also noteworthy is the fact that the IP addresses for the command and control servers used for Mirage and in the February campaign belong to China's Beijing Province Network. The same network was also implicated in last year's attacks on security vendor RSA that resulted in the theft of confidential information related to the company's SecurID two-factor authentication technology.
Command and control servers associated with the 2009 GhostNet campaign that targeted government computers in more than 100 companies also used IP addresses in the same network. The evidence suggests that the same group of people is behind the sweeping cyber espionage campaigns, SecureWorks researchers Joe Stewart said today.
The latest Mirage campaign has so far impacted companies in Canada, the Philippines, a military organization in Taiwan and several unidentified entities in Nigeria, Egypt, Brazil and Israel, Stewart said.
The Mirage malware program itself is very crafty and is designed to evade easy detection, according to SecureWorks. All of its communications with its command and control servers are disguised to appear like the URL traffic pattern associated with Google searches.
Those behind the espionage have used phishing emails to trick mid-level to senior executives at the targeted companies to click on attachments containing malware for installing Mirage on their systems. One of the emails used in the campaign for instance, contained a pdf of a news story about Yemeni women being eligible to participate in that country's elections.
Over the past few months, researchers at SecureWorks discovered several customized variants of Mirage designed to evade detection by anti-virus and anti-malware programs
"One of the variants was seen in a subset of samples that had been modified specifically for the environment targeted by the threat actors," SecureWorks analyst Silas Cutler wrote in the alert. "These samples had been configured with default credentials for the targeted environment's web proxy servers," he noted.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Arrests made after international cyber-ring targets StubHub
- International police operation disrupts Shylock banking Trojan
- Spamhaus pushes for arrests of alleged DDoS participants
- Accused Russian point-of-sale hacker arrested, will face U.S. charges
- No-IP regains control of some domains wrested by Microsoft
- Microsoft legal action cramping other hacking campaigns, Kaspersky says
- Microsoft admits technical error in IP takeover, but No-IP still down
- QuickPoll: Why hasn't Windows XP come under attack from hackers?
- Cybercrime losses top $400 billion worldwide
- U.S., foreign agents disrupt Gamover Zeus botnet
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts