Positive Technologies Expert Security Center specialists have discovered an APT group, active since 2016, which has targeted state institutions in six different countries.
The experts discovered that government organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) - all of which suffered damage as a result of the group’s attacks. The attackers’ hack the network perimeter and inject a special program which gave them access to the victim's internal network. The investigation revealed that the attackers moved along the network either by exploiting Remote Code Execution vulnerability (MS17-010) or by using stolen credentials.
Denis Kuvshinov, Lead Specialist in Threat Analysis at Positive Technologies, commented on the attack: "These attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration. The group used publicly available utilities and exploit tools, such as SysInternals¹, Mimikatz²; EternalBlue, and EternalRomance³. Using these widely available tools, the attackers infected computers on the organization's LAN and stole confidential data."
According to the experts at Positive Technologies, organizations can prevent such attacks by using specialised systems for deep traffic analysis. These systems facilitate the detection of suspicious activity at the early stages of the attackers' incursion into the LAN, and then will prevent the hackers from getting a foothold in the company infrastructure. In addition, monitoring of security incidents, along with perimeter and web applications protection, will also help in detecting and preventing these attacks.
The obtained data indicates that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. In one of the attacks the group used PlugX malware - traditionally used by many Chinese APT groups. They also used Byeby trojan, which was involved in the SongXY malware campaign in 2017. Also, in some of the attacks the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.
For the full Positive Technologies report on Calypso APT click here.
- Legitimate Windows administration suite.
- Utility for obtaining user credentials, including password.
- Exploits for vulnerability MS17-010.