RSA FirstWatch researchers say the attackers behind the so-called VOHO hacks have ties to China and used a technique they call "water holing" to rig with malware selected websites most likely frequented by the ultimate targets, based on associated areas of interest and geography. The end result: a drive by-style attack, which is not typically associated with traditional cyberespionage or advanced persistent threat-style attacks.
Around 35,000 machines were hit by the VOHO attacks and redirected to compromised Web servers, and close to 4,000 machines ultimately were infected. That's a healthy infection-success rate of about 12 percent for the attackers, according to RSA's findings. "Drive-by based attacks in the cybercrime world typically have a 5- to 10 percent success rate," says Alex Cox, principal security researcher for RSA FirstWatch Threat Research. "While VOHO is not cybercrime, using that understanding, anything over 10 percent can be considered successful. These sorts of attacks never have an extremely high success rate on a numbers scale because of variables in the defenders infrastructure ... blocking technologies, host configuration, lack of vulnerable software, etc."
"This attack is particularly brazen due to its wide victim base. Typical APT attacks are very targeted, so this appears to be a more 'cast the net and see what we catch' approach: That’s new," Cox says. The attack also targets users in Boston, Massachusetts, and Washington, D.C. area and suburbs, including those associated with the defense industrial base, education, and political activism.
The VOHO attackers also employ some of the same methods and tools as those used in the Aurora campaign that breached Google, Adobe, and Intel in 2010. The main common thread: the Gh0st remote access tool (RAT), which also was used in its namesake 2009 GhostNet attacks that stole documents from the Dalai Lama and from governments and corporations in more than 103 countries. But that doesn't mean it's all the same attackers: "We are not entirely sure which threat actor group is behind the VOHO campaign. We can confirm that a variant of gh0st rat toolset was used in the VOHO campaign as it was in Aurora and GhostNet and that certain other attributes are comparable to those attacks," says Will Gragido, senior manager for RSA FirstWatch Threat Research.
The lines between various APT campaigns indeed can be blurry. Dell SecureWorks last week revealed a separate cyberespionage campaign called Mirage targeting energy firms, where the command-and-control IP addresses used in those attacks belonged to a specific Internet network that was also used for the custom malware involved in the RSA breach revealed in 2011.
Although Mirage employs GhostNet as well, Joe Stewart, director of malware research at Dell SecureWorks, says there is no evidence to conclusively connect it to the Aurora attackers.
Their main connection is that they are sharing some of the same infrastructure, he says. "But it's not necessarily the same actors," Stewart says. "In my opinion, they are different actors within the same command infrastructure. They do share domains and networks at times, but they all tend to use different malware preferences – that's just a personal preference on the part of the hackers."
IP addresses from the Mirage network also have been employed C&C servers for malware in the GhostNet campaign that targeted government computers in more than 100 countries, according to SecureWorks' findings.
[Attackers focused on cyberespionage and covert operations -- known in the defense industry as the "advanced persistent threat," or APT -- create stealthy malware that focuses on deniability over dollars. See The Attacker's Trade-Off: Stealth Versus Resilience. ]
Symantec earlier this month eported its findings on Elderwood, a similar wave of attacks. The security firm said the attackers were focused on the defense industrial base, and also concluded that the very same malware authors also were responsible for the Trojan used in the Aurora attacks.
But RSA doesn't believe the attackers behind Elderwood are the same ones behind VOHO. "VOHO used different malware," Cox says.
Despite all of the shared tools and modus operandi by seemingly different groups of attackers, there likely are fewer of these nation-state hackers than it seems. "There are probably fewer of them than you might think. We haven't discovered all of the links between all of the actors, the more of this we track, the fewer groups we visualize," SecureWorks' Stewart says. "It's just really hard to group them i any subset."
In addition, various groups are likely working on multiple campaigns. Take the VOHO attackers. "Potentially, while our research only covers a couple of campaigns, it is likely that additional campaigns were run by the VOHO group that we didn’t have visibility into," RSA's Cox says.
Among the capabilities of the attack is a phony antivirus update for Symantec and fake Microsoft update. But none of the malware samples RSA dissected provides any clues to what specific information the VOHO attackers are after.
So what stands out most about VOHO? "Clearly the amount of time and energy that was expended in scouting the sites that would be leveraged in the campaign. There is a method -- a pattern depicted here as a result of their choices which is not driven by coincidence. These sites were chosen for their relevance to individuals related -- in one way or another -- with the targets of interest the threat actors sought to compromise and exploit," Gragido says. "To the uninformed, it may look like a randomly driven ‘drive by’ attack, however, when one analyzes the data it clearly demonstrates their intent. We believe that is expressly seen in the industry/verticals impacted by the campaign and the geographic concentration of those compromises."
The full RSA white paper on VOHO is available here (PDF) for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.