Attacks/Breaches
8/27/2013
02:18 PM
Connect Directly
RSS
E-Mail
50%
50%

G20 Summit Becomes Bait For Cyberespionage Attacks

The upcoming G20 Summit in Russia is being used as a lure in a spate of APT-style attacks

With the G-20 Summit a little more than a week away, cyberattackers are using the conference as a theme as they target government and financial institutions.

According to Rapid7, multiple groups -- potentially originating in China -- are responsible for the attacks, including a prominent group known as the Calc Team or APT-12 that has been tied to an attack on The New York Times.

"Within the security community there's the firm belief that the Calc Team is an espionage group operating from China, which originally stood out due to the use of a peculiar algorithm used to calculate the connection details to their Command & Control servers (C&C) out of an initial DNS request," blogs Rapid7 security researcher Claudio Guarnieri. "[This] group has been tracked by researchers for years and is believed to be responsible of numerous attacks against government agencies, financial institutions and defense contractors."

The recent attacks all use the upcoming G20 conference -- scheduled for Sept. 5 and 6 in St. Petersburg, Russia -- as a theme for the bait. The first of the ongoing G20-themed attacks tied to the group was detected in May, and featured a PDF document outlining a development agenda for the Russian presidency, as well as a second document entitled "Global Partnership for Financial Inclusion Work Plan 2013."

"Both are clearly Windows executable files that try to disguise as PDF documents," the researcher notes. "As commonly happen, no exploit has been used here and the attacker uniquely relied on social engineering the targets to open and execute the files contained in the archive. Upon execution, both these files extract an actual embedded PDF to the %Temp% folder and display them to the victim, in order to not raise suspicion."

Earlier this month, two more attacks tied to the group using other G20-themed booby-trapped documents were detected, as well. Once the malware is on the system, it is then used to download additional malware and log the keystrokes of users. In order to intercept keystrokes, the malware constantly loops through an embedded list of keys and checks the state for each key with GetKeyState Windows API. Currently, the command-and-control used by the attackers remains active.

"Assuming that the chain of attribution to Calc is correct, it's interesting to observe that despite major international exposure after The New York Times incident, the intrusion group/s behind these attacks is still operational and doesn't seem to have been affected by the sudden attention received by newspapers and researchers," Guarnieri blogs.

"Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but it's remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect," he adds. "As also pointed out by FireEye, the creators of the malware seem to be actively changing things around in order to avoid detection by network defense layers, which combined with the lack of exploitation involved, it leaves a large responsibility on the targeted user to be able to recognize the social engineering attempt and isolate the attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio