Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/7/2017
03:14 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

South America the Target of 'Sowbug' Cyber Espionage Group

Diplomatic and government organizations in Brazil, Peru, Ecuador, and Argentina are being targeted by what Symantec says looks like a nation-state actor.

A shadowy threat group with nation-state capabilities has been conducting a sophisticated cyber espionage campaign against government targets in South America, a region where such attacks have been relatively rare.

The group, called Sowbug, has been active since at least early 2015 and appears primarily interested in gathering foreign policy information from diplomatic and government entities in the region, Symantec warned in a report published Tuesday.

The Sowbug group's victims include organizations in Brazil, Peru, Argentina, and Ecuador. In addition to South America, the hacker group has also targeted organizations in Southeast Asia and broken into government organizations in Brunei and Malaysia.

Symantec says it first spotted signs of Sowbug's activity in March 2017 when it discovered a brand new backdoor dubbed Felismus being used against a target in South East Asia. The group appears to be well-resourced and capable of infiltrating multiple targets simultaneously and maintaining a presence on their networks for extended periods. In some cases, they have remained undetected on a victim's network for up to six months.

What makes the Sowbug campaign significant is its focus on South America, says Dick O'Brien, security researcher at Symantec. Typically, most attacks of this nature have been directed at organizations in the United States and Europe. "The most significant thing for us was seeing a group like this targeting South America, which, to date, has been quite rare," O'Brien says. 

"The big takeaway from our perspective is that cyberespionage is now a global issue and no region is unaffected," he says. Organizations shouldn't assume they won't be targeted because of where they are located, and should build their defenses against such threats.

In terms of capabilities, the Sowbug group has developed its own sophisticated malware and seems to have enough personnel to take on multiple targets at the same time. The attackers tend to only operate outside of the normal working hours in their targeted countries to minimize their chances of getting caught. "Therefore, we'd view them as capable and well-resourced attackers, near the elite end of the spectrum," O'Brien says.

The actors behind the Sowbug campaign appear to be looking for very specific information on victim networks. For instance, in a May 2015 attack on the foreign affairs ministry of a South American nation, the attacks seemed focused on extracting documents from a division of the ministry that was responsible for foreign relations with a nation in the Asia-Pacific region.

The threat actors first looked for and extracted all Word documents stored in a file server belonging to the division that had been modified from May 11, 2015. One hour later, they came back to the same server and extracted an additional four days worth of data. "Presumably they either didn't find what they were looking for in the initial incursion, or else noticed something in the documents they stole earlier that prompted them to hunt for more information," Symantec noted in its report.

They then attempted to extract Word documents and other content from remote files shares and shared drives belonging to the targeted division, once again using a very specific date range. In this particular instance, the threat actors from Sowbug managed to remain undetected on the victim network for a period of four months between May and September 2015.

One tactic the group has used to evade detection is to disguise its malware as well-known software packages such as Windows and Adobe Reader. The group has been able to hide in plain sight by naming its tools after well-known software products and placing them in directory trees where they can easily be mistaken for the real thing, according to Symantec.

O'Brien says Symantec so far has not been able to figure out how the group initially infiltrates a target system or drops the Felismus backdoor on them. In some cases, the researchers have seen the attackers employ a dropper dubbed Starloader to install Felismus. But in those cases, the company has not been able to figure out how Sowbug got the dropper on the system.

"We were unable to identify any technical or operational aspects of the attack that would indicate possible origin of this activity," O'Brien says. "However, we can say the targets are likely of interest to a nation-state and the malware used in these attacks is at the level of sophistication we would expect to see with state-sponsored attackers."

Related content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.