Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

'NetTraveler' Cyberespionage Campaign Uncovered

Nearly decade-old attack also has links to other APT groups, infrastructure

A less sophisticated but long-running cyberspying program out of China aimed at high-profile targets in government, embassies, oil and gas, military contractors, activists, and universities has infected hundreds of targets across 40 nations.

The so-called NetTraveler campaign revealed today by Kaspersky Lab comes from a midsize APT group out of China that has some 50 members and who also have used other malware including Zegost (from Gh0stNet), Saker, and other APT-related tools. That doesn't mean the same group is behind Gh0stNet or other campaigns, however: "The groups and their activities are large, complex and in many ways separate, and we are simply saying that there are inter-relations in the dataset," said Kurt Baumgartner, senior security researcher for the Americas on the Global Research and Analysis Team at Kaspersky Lab, in an email interview. "This group's connections with a handful of other groups is both operational and shares infrastructure."

According to Kaspersky's findings, the backdoor used in NetTraveler was likely written by the same developer who wrote the Gh0st/Zegost remote access Trojan. NetTraveler's IP address range has some overlap with Zegost. "For instance, one of the command and control servers that is part of the infrastructure, is a well-known C2 for multiple Zegost variants, still active as of May 2013. The targets and command and control domain naming scheme indicates a connection between the Lurid/Enfal attackers and NetTraveler," according to a report published today by Kaspersky Lab. "Some of the NetTraveler C2's are used to distribute a malware known as 'Saker' or 'Xbox.' which is delivered as an 'update' to the NetTraveler victims."

And in yet another example of how we've likely only scratched the surface on APTs, the researchers also discovered that six of the NetTraveler victims -- a Russian military contractor, an embassy in Belgium, an embassy in Iran, an embassy in Kazakhstan, an embassy in Belarus, and a government organization in Tajikistan -- also had been hit by Red October, a cyberespionage campaign likely out of Eastern Europe. According to Kaspersky's findings, this indicates the value of these targets.

"Threat actors infiltrate victims simultaneously and may or may not be concerned about victim overlap. Most likely, with these two groups in particular, the operators have a specific set of tasks to carry out at the victim organizations," Baumgartner says. "If they happen to see another piece of malware on the target network, and it doesn't interrupt their operation, they just go back to completing their assignments."

NetTraveler doesn't use zero-day attacks but instead exploits two well-known (and patched) vulnerabilities in Microsoft Office, a former bug in Windows Common Controls that was patched over a year ago (CVE-2012-0158) and multiple former flaws in Microsoft Office that were fixed two years ago (CVE-2010-3333). Like most targeted attacks, it starts with spear-phishing emails using attachments -- in this case, rigged with the Office exploits. "Although these vulnerabilities have been patched by Microsoft, they remain effective and are among the most exploited in targeted attacks," Kaspersky Lab said in its report today on NetTraveler.

The researchers say despite the relatively unsophisticated methods, the campaign still was highly successful against these high-profile victims. Bottom line: their machines weren't patched with the latest Microsoft updates.

"We found more than a handful of victims that were infiltrated by both the Red October and NetTraveler threat actors simultaneously. Where we may have suspected that it happened infrequently, we have concrete data that there are multiple high value targets that cannot adequately defend themselves -- they are easy picking for threat actors and should not be," Kaspersky's Baumgartner says.

[Operation Hangover signals new franchise model in cyberespionage with cyberspying services for hire. See 'Commercialized' Cyberespionage Attacks Out Of India Targeting U.S., Pakistan, China, And Others .]

"That's a vulnerability management issue," says Lawrence Orans, research director for Gartner. "Those Microsoft Office patches had been out there for [at least] a year, and all they had to do was patch it ... It comes down to poor processes."

Kaspersky found more than 22 gigabytes of stolen data on some of NetTraveler's 30 command and control servers, including file system listings, key logs, PDFs, Excel spreadsheets, Word documents, and other files. The NetTraveler malware also can be used to install custom tools that target computer-aided design (CAD) files and application configuration information, for example.

Among the topics of interest for the NetTraveler APT group are space exploration, nanotechnology, energy production, nuclear power, laser technology, medicine, and communications. Mongolia (29 percent), Russia (19 percent), India (11 percent), and Kazakhstan (11 percent) had the most victims, and infected targets were also found in the U.S., Canada, UK, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Mongolia, Iran, Turkey, Pakistan, South Korea, Thailand, Qatar, Kazakhstan, and Jordan.

Some 32 percent of the victims were in the diplomacy realm; 19 percent, government; 11 percent, private; and 9 percent, military.

The full Kaspersky Lab report on NetTraveler is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."