Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

Vast Cyberespionage Campaign 'Brazen' In Its Approach

RSA dissects so-called 'VOHO' attack campaign, which also shares common traits with prior attacks aimed at Google, others

An ongoing massive targeted cyberespionage campaign with similarities to other infamous high-profile cyberespionage hacks has victimized around 900 organizations across a wide base of industries over the past eight months including international financial services firms, tech firms, utilities, government, education, corporate, and the defense industrial base. But unlike other so-called advanced persistent threat (APT)-style attacks, this one initially infects victims via strategic drive-by Web attacks.

RSA FirstWatch researchers say the attackers behind the so-called VOHO hacks have ties to China and used a technique they call "water holing" to rig with malware selected websites most likely frequented by the ultimate targets, based on associated areas of interest and geography. The end result: a drive by-style attack, which is not typically associated with traditional cyberespionage or advanced persistent threat-style attacks.

Around 35,000 machines were hit by the VOHO attacks and redirected to compromised Web servers, and close to 4,000 machines ultimately were infected. That's a healthy infection-success rate of about 12 percent for the attackers, according to RSA's findings. "Drive-by based attacks in the cybercrime world typically have a 5- to 10 percent success rate," says Alex Cox, principal security researcher for RSA FirstWatch Threat Research. "While VOHO is not cybercrime, using that understanding, anything over 10 percent can be considered successful. These sorts of attacks never have an extremely high success rate on a numbers scale because of variables in the defenders infrastructure ... blocking technologies, host configuration, lack of vulnerable software, etc."

"This attack is particularly brazen due to its wide victim base. Typical APT attacks are very targeted, so this appears to be a more 'cast the net and see what we catch' approach: That’s new," Cox says. The attack also targets users in Boston, Massachusetts, and Washington, D.C. area and suburbs, including those associated with the defense industrial base, education, and political activism.

The VOHO attackers also employ some of the same methods and tools as those used in the Aurora campaign that breached Google, Adobe, and Intel in 2010. The main common thread: the Gh0st remote access tool (RAT), which also was used in its namesake 2009 GhostNet attacks that stole documents from the Dalai Lama and from governments and corporations in more than 103 countries. But that doesn't mean it's all the same attackers: "We are not entirely sure which threat actor group is behind the VOHO campaign. We can confirm that a variant of gh0st rat toolset was used in the VOHO campaign as it was in Aurora and GhostNet and that certain other attributes are comparable to those attacks," says Will Gragido, senior manager for RSA FirstWatch Threat Research.

The lines between various APT campaigns indeed can be blurry. Dell SecureWorks last week revealed a separate cyberespionage campaign called Mirage targeting energy firms, where the command-and-control IP addresses used in those attacks belonged to a specific Internet network that was also used for the custom malware involved in the RSA breach revealed in 2011.

Although Mirage employs GhostNet as well, Joe Stewart, director of malware research at Dell SecureWorks, says there is no evidence to conclusively connect it to the Aurora attackers.

Their main connection is that they are sharing some of the same infrastructure, he says. "But it's not necessarily the same actors," Stewart says. "In my opinion, they are different actors within the same command infrastructure. They do share domains and networks at times, but they all tend to use different malware preferences – that's just a personal preference on the part of the hackers."

IP addresses from the Mirage network also have been employed C&C servers for malware in the GhostNet campaign that targeted government computers in more than 100 countries, according to SecureWorks' findings.

[Attackers focused on cyberespionage and covert operations -- known in the defense industry as the "advanced persistent threat," or APT -- create stealthy malware that focuses on deniability over dollars. See The Attacker's Trade-Off: Stealth Versus Resilience. ]

Symantec earlier this month eported its findings on Elderwood, a similar wave of attacks. The security firm said the attackers were focused on the defense industrial base, and also concluded that the very same malware authors also were responsible for the Trojan used in the Aurora attacks.

But RSA doesn't believe the attackers behind Elderwood are the same ones behind VOHO. "VOHO used different malware," Cox says.

Despite all of the shared tools and modus operandi by seemingly different groups of attackers, there likely are fewer of these nation-state hackers than it seems. "There are probably fewer of them than you might think. We haven't discovered all of the links between all of the actors, the more of this we track, the fewer groups we visualize," SecureWorks' Stewart says. "It's just really hard to group them i any subset."

In addition, various groups are likely working on multiple campaigns. Take the VOHO attackers. "Potentially, while our research only covers a couple of campaigns, it is likely that additional campaigns were run by the VOHO group that we didn’t have visibility into," RSA's Cox says.

Among the capabilities of the attack is a phony antivirus update for Symantec and fake Microsoft update. But none of the malware samples RSA dissected provides any clues to what specific information the VOHO attackers are after.

So what stands out most about VOHO? "Clearly the amount of time and energy that was expended in scouting the sites that would be leveraged in the campaign. There is a method -- a pattern depicted here as a result of their choices which is not driven by coincidence. These sites were chosen for their relevance to individuals related -- in one way or another -- with the targets of interest the threat actors sought to compromise and exploit," Gragido says. "To the uninformed, it may look like a randomly driven ‘drive by’ attack, however, when one analyzes the data it clearly demonstrates their intent. We believe that is expressly seen in the industry/verticals impacted by the campaign and the geographic concentration of those compromises."

The full RSA white paper on VOHO is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.