Attacks/Breaches
11/12/2012
04:22 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

The Globalization Of Cyberespionage

Newly revealed cyberspying campaign against Israeli and Palestinian targets demonstrates how the threat is no longer mostly a China thing

A recently discovered targeted cyberespionage campaign targeting Israeli and Palestinian organizations in operation for more than a year serves as chilling evidence that cyberspying is a global phenomenon and no longer mostly the domain of massive nation-states like China.

While much of the attention has been trained on China as the source of cyberespionage, the discovery of this latest operation highlights just how popular and easy it has become to execute cyberspying. Thanks to ease of access and use of remote access Trojan (RAT) tools and reliability of social engineering, you don't need nation-state backing to conduct these types of targeted attacks. RATs traditionally had been associated with Chinese-based attackers, but that conventional wisdom is shifting as other nations and politically motivated attackers move to cyberspying via these tools to more efficiently gather intelligence on their marks.

Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates.

This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.

[Turns out cyberespionage malware and activity is far more prolific than imagined. See Scope Of APTs More Widespread Than Thought. ]

Oftedal says he has seen XTreme RAT used in all types of attacks. What was most striking about this campaign is that the same attacker used it to go after both Israelis and Palestinian interests. With only the malware and email samples to study, however, he says, Norman can't draw any conclusions on who is behind the attacks.

Aviv Raff, CTO of Seculert, which also has been studying the attacks, says there appears to be a political motive for the attacks, and that the perpetrators could be Hamas hacktivists or someone from their own cyberarmy, he says.

Cyberespionage attacks from various players will increase in the coming year, he says. "I believe that next year we'll see more actors from different nations" conducting cyberespionage, Raff says. "I think such efforts are already in place, and [we] saw that with last year's attacks. The way I see this is that next year, more of such attacks will be discovered -- meaning they are taking place as we speak but go under the radar."

Israeli police last month pulled all of their computers off the Internet after discovering a rogue file spreading around their systems. Seculert studied the attack and concluded that the attacks were based on the Xtreme RAT, a not-so advanced but highly persistent attack tool.

That assessment was confirmed by Norman's research today. "This was not too advanced," Norman's Oftedal says. "They were using off-the-shelf Trojans. The only advanced piece is the digital certificates," which were created to appear as Microsoft-signed, he says.

The attackers initially used C&C servers located in the Gaza Strip region, and later moved them to hosting firms in the U.S. and U.K., according to Norman's findings.

Other researchers, including Dell SecureWorks, have spotted related Xtreme RAT activity against Palestinian and Israeli targets. Joe Stewart, director of malware research at Dell SecureWorks, says he has also seen Chinese hackers using XTreme RAT for cyberespionage, too.

But the similarities between nation-state Chinese attackers and these Middle Eastern political attacks end there. "A lot of targeting that's going on lately are kind of ad-hoc programs being spun up in response to Arab Spring ... and throwing up commodity [Trojans]," Stewart says. "There's no time to spin up the next Flame. They use what's out there and available."

And researchers and victim organizations are also getting more experienced at spotting possible targeted attacks, which is adding to the snowball effect of new cyberespionage players and victims.

"Now that people realize espionage is the focus in a lot of cases, they are not so quick to dismiss malware samples that come in that are new and not usual," Stewart says. "A few years ago, you'd think 'that was just a random hacker and I'll concentrate on Storm' or whatever threat was big at the time. Now you see samples that are not like any other samples ... and stand on their own because they are such low volume, and you realize this could be the next big story, a Stuxnet you got your hands on there that's worth delving into more."

The full report from Norman is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web