Cyber espionage campaign targets energy companies
Signs suggest remote access trojan by group that attacked RSA
Computerworld - Hackers using a Remote Access Trojan (RAT) named Mirage have been engaged in a systematic cyber espionage campaign against a Canadian energy company, a large oil firm in the Philippines and several other entities since at least this April, Dell's SecureWorks Counter Threat Unit says.
The campaign is the second one targeted at oil companies to be discovered by SecureWorks this year. In February, researchers at the firm discovered attackers using remote access tools similar to Mirage to target several oil companies in Vietnam. That campaign also targeted government agencies in several countries, an embassy, a nuclear safety agency and multiple business groups, according to SecureWorks.
The domains for three of the command and control (C&C) servers used to control Mirage and for several of the C&C servers used in the February campaign, appear to belong to the same individual or group of individuals, SecureWorks said.
Also noteworthy is the fact that the IP addresses for the command and control servers used for Mirage and in the February campaign belong to China's Beijing Province Network. The same network was also implicated in last year's attacks on security vendor RSA that resulted in the theft of confidential information related to the company's SecurID two-factor authentication technology.
Command and control servers associated with the 2009 GhostNet campaign that targeted government computers in more than 100 companies also used IP addresses in the same network. The evidence suggests that the same group of people is behind the sweeping cyber espionage campaigns, SecureWorks researchers Joe Stewart said today.
The latest Mirage campaign has so far impacted companies in Canada, the Philippines, a military organization in Taiwan and several unidentified entities in Nigeria, Egypt, Brazil and Israel, Stewart said.
The Mirage malware program itself is very crafty and is designed to evade easy detection, according to SecureWorks. All of its communications with its command and control servers are disguised to appear like the URL traffic pattern associated with Google searches.
Those behind the espionage have used phishing emails to trick mid-level to senior executives at the targeted companies to click on attachments containing malware for installing Mirage on their systems. One of the emails used in the campaign for instance, contained a pdf of a news story about Yemeni women being eligible to participate in that country's elections.
Over the past few months, researchers at SecureWorks discovered several customized variants of Mirage designed to evade detection by anti-virus and anti-malware programs
"One of the variants was seen in a subset of samples that had been modified specifically for the environment targeted by the threat actors," SecureWorks analyst Silas Cutler wrote in the alert. "These samples had been configured with default credentials for the targeted environment's web proxy servers," he noted.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- Target attack shows danger of remotely accessible HVAC systems
- U.S. is investigating Target data breach, AG Holder says
- Russian man pleads guilty in SpyEye malware case
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts