On Feb. 22, Symantec revealed evidence of a previously undocumented threat actor it's calling "Clasiopa." Clasiopa has been observed deploying a unique malware backdoor called "Atharvan" in its campaign against a materials manufacturer based in Asia.
"From what we can see, the main motivation of the attack was spying or information theft," Dick O'Brien, principal intelligence analyst at the Symantec Threat Hunter Team, tells Dark Reading. Symantec declined to elaborate on the nature of the victim, the files, or whether the attackers were successful.
Clasiopa's Stealth Tactics
Clasiopa's initial intrusion vector is not certain, "although," the researchers noted, "there is some evidence to suggest that the attackers gain access through brute-force attacks on public-facing servers."
The report highlights a few hallmarks of the attack, including checking the IP address of target computers, using "multiple backdoors to build lists of file names and exfiltrate them," clearing multiple event logs on the target system, and running a vaguely named task — "network service" — to list file names.
Two commercial programs also made their way into the maelstrom: the Agile File Distribution Management system, from developers Jiangsu Agile Technology in China, and Domino, from HCL software (though the latter may have been included coincidentally).
Altogether, these methods — the backdoors, the erased logs, the commercial software — begin to tell a story. "They're certainly an attempt at stealthy tactics," O'Brien says. "These kinds of tactics are by no means unique and a lot of similar threat actors will do something similar, with varying levels of success depending on their skills and resources."
"In this case," he adds, "they still left enough evidence behind to piece together much of what they'd done."
That said, some of the evidence the group left behind may have been intentional, meant to point researchers in a specific attribution direction.
Who Is Clasiopa?
The clues to learning about Clasiopa may lie in its unique malware, Atharvan — "a classic backdoor," as O'Brien says. "It allows the attackers to maintain an open communication channel with the infected computer, install additional tools, and send back information to the attackers."
Function aside, its name may be its most notable feature. The name derives from "SAPTARISHI ATHARVAN-101," a mutual exclusion object ("mutex") the malware creates after infecting a target machine, to ensure multiple copies of itself aren't running at once. "Saptarishi," in ancient Indian astronomy, is the word for the arrangement of stars in the Big Dipper. Atharvan is the name of a mythic Hindu sage.
And there was another breadcrumb indicating Indian origin. One of the passwords Clasiopa used for a zip archive was iloveindea1998^_^.
However, these clues are actually so obvious that they invite suspicion. "While these details could suggest that the group is based in India," the researchers hypothesized, "it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue."
Many other details about the group remain undisclosed or unknown. This may be in part due to the stealth tactics utilized in the campaign, some subtle and some overt. For now, threat analysts should stay tuned: To learn anything more about Clasiopa, we may need to wait until it strikes again.