Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

Vast Cyberespionage Campaign 'Brazen' In Its Approach

RSA dissects so-called 'VOHO' attack campaign, which also shares common traits with prior attacks aimed at Google, others

An ongoing massive targeted cyberespionage campaign with similarities to other infamous high-profile cyberespionage hacks has victimized around 900 organizations across a wide base of industries over the past eight months including international financial services firms, tech firms, utilities, government, education, corporate, and the defense industrial base. But unlike other so-called advanced persistent threat (APT)-style attacks, this one initially infects victims via strategic drive-by Web attacks.

RSA FirstWatch researchers say the attackers behind the so-called VOHO hacks have ties to China and used a technique they call "water holing" to rig with malware selected websites most likely frequented by the ultimate targets, based on associated areas of interest and geography. The end result: a drive by-style attack, which is not typically associated with traditional cyberespionage or advanced persistent threat-style attacks.

Around 35,000 machines were hit by the VOHO attacks and redirected to compromised Web servers, and close to 4,000 machines ultimately were infected. That's a healthy infection-success rate of about 12 percent for the attackers, according to RSA's findings. "Drive-by based attacks in the cybercrime world typically have a 5- to 10 percent success rate," says Alex Cox, principal security researcher for RSA FirstWatch Threat Research. "While VOHO is not cybercrime, using that understanding, anything over 10 percent can be considered successful. These sorts of attacks never have an extremely high success rate on a numbers scale because of variables in the defenders infrastructure ... blocking technologies, host configuration, lack of vulnerable software, etc."

"This attack is particularly brazen due to its wide victim base. Typical APT attacks are very targeted, so this appears to be a more 'cast the net and see what we catch' approach: That’s new," Cox says. The attack also targets users in Boston, Massachusetts, and Washington, D.C. area and suburbs, including those associated with the defense industrial base, education, and political activism.

The VOHO attackers also employ some of the same methods and tools as those used in the Aurora campaign that breached Google, Adobe, and Intel in 2010. The main common thread: the Gh0st remote access tool (RAT), which also was used in its namesake 2009 GhostNet attacks that stole documents from the Dalai Lama and from governments and corporations in more than 103 countries. But that doesn't mean it's all the same attackers: "We are not entirely sure which threat actor group is behind the VOHO campaign. We can confirm that a variant of gh0st rat toolset was used in the VOHO campaign as it was in Aurora and GhostNet and that certain other attributes are comparable to those attacks," says Will Gragido, senior manager for RSA FirstWatch Threat Research.

The lines between various APT campaigns indeed can be blurry. Dell SecureWorks last week revealed a separate cyberespionage campaign called Mirage targeting energy firms, where the command-and-control IP addresses used in those attacks belonged to a specific Internet network that was also used for the custom malware involved in the RSA breach revealed in 2011.

Although Mirage employs GhostNet as well, Joe Stewart, director of malware research at Dell SecureWorks, says there is no evidence to conclusively connect it to the Aurora attackers.

Their main connection is that they are sharing some of the same infrastructure, he says. "But it's not necessarily the same actors," Stewart says. "In my opinion, they are different actors within the same command infrastructure. They do share domains and networks at times, but they all tend to use different malware preferences – that's just a personal preference on the part of the hackers."

IP addresses from the Mirage network also have been employed C&C servers for malware in the GhostNet campaign that targeted government computers in more than 100 countries, according to SecureWorks' findings.

[Attackers focused on cyberespionage and covert operations -- known in the defense industry as the "advanced persistent threat," or APT -- create stealthy malware that focuses on deniability over dollars. See The Attacker's Trade-Off: Stealth Versus Resilience. ]

Symantec earlier this month eported its findings on Elderwood, a similar wave of attacks. The security firm said the attackers were focused on the defense industrial base, and also concluded that the very same malware authors also were responsible for the Trojan used in the Aurora attacks.

But RSA doesn't believe the attackers behind Elderwood are the same ones behind VOHO. "VOHO used different malware," Cox says.

Despite all of the shared tools and modus operandi by seemingly different groups of attackers, there likely are fewer of these nation-state hackers than it seems. "There are probably fewer of them than you might think. We haven't discovered all of the links between all of the actors, the more of this we track, the fewer groups we visualize," SecureWorks' Stewart says. "It's just really hard to group them i any subset."

In addition, various groups are likely working on multiple campaigns. Take the VOHO attackers. "Potentially, while our research only covers a couple of campaigns, it is likely that additional campaigns were run by the VOHO group that we didn’t have visibility into," RSA's Cox says.

Among the capabilities of the attack is a phony antivirus update for Symantec and fake Microsoft update. But none of the malware samples RSA dissected provides any clues to what specific information the VOHO attackers are after.

So what stands out most about VOHO? "Clearly the amount of time and energy that was expended in scouting the sites that would be leveraged in the campaign. There is a method -- a pattern depicted here as a result of their choices which is not driven by coincidence. These sites were chosen for their relevance to individuals related -- in one way or another -- with the targets of interest the threat actors sought to compromise and exploit," Gragido says. "To the uninformed, it may look like a randomly driven ‘drive by’ attack, however, when one analyzes the data it clearly demonstrates their intent. We believe that is expressly seen in the industry/verticals impacted by the campaign and the geographic concentration of those compromises."

The full RSA white paper on VOHO is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying th...
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another serv...
PUBLISHED: 2021-05-13
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.