'NetTraveler' Cyberespionage Campaign Uncovered

Nearly decade-old attack also has links to other APT groups, infrastructure

A less sophisticated but long-running cyberspying program out of China aimed at high-profile targets in government, embassies, oil and gas, military contractors, activists, and universities has infected hundreds of targets across 40 nations.

The so-called NetTraveler campaign revealed today by Kaspersky Lab comes from a midsize APT group out of China that has some 50 members and who also have used other malware including Zegost (from Gh0stNet), Saker, and other APT-related tools. That doesn't mean the same group is behind Gh0stNet or other campaigns, however: "The groups and their activities are large, complex and in many ways separate, and we are simply saying that there are inter-relations in the dataset," said Kurt Baumgartner, senior security researcher for the Americas on the Global Research and Analysis Team at Kaspersky Lab, in an email interview. "This group's connections with a handful of other groups is both operational and shares infrastructure."

According to Kaspersky's findings, the backdoor used in NetTraveler was likely written by the same developer who wrote the Gh0st/Zegost remote access Trojan. NetTraveler's IP address range has some overlap with Zegost. "For instance, one of the command and control servers that is part of the infrastructure, is a well-known C2 for multiple Zegost variants, still active as of May 2013. The targets and command and control domain naming scheme indicates a connection between the Lurid/Enfal attackers and NetTraveler," according to a report published today by Kaspersky Lab. "Some of the NetTraveler C2's are used to distribute a malware known as 'Saker' or 'Xbox.' which is delivered as an 'update' to the NetTraveler victims."

And in yet another example of how we've likely only scratched the surface on APTs, the researchers also discovered that six of the NetTraveler victims -- a Russian military contractor, an embassy in Belgium, an embassy in Iran, an embassy in Kazakhstan, an embassy in Belarus, and a government organization in Tajikistan -- also had been hit by Red October, a cyberespionage campaign likely out of Eastern Europe. According to Kaspersky's findings, this indicates the value of these targets.

"Threat actors infiltrate victims simultaneously and may or may not be concerned about victim overlap. Most likely, with these two groups in particular, the operators have a specific set of tasks to carry out at the victim organizations," Baumgartner says. "If they happen to see another piece of malware on the target network, and it doesn't interrupt their operation, they just go back to completing their assignments."

NetTraveler doesn't use zero-day attacks but instead exploits two well-known (and patched) vulnerabilities in Microsoft Office, a former bug in Windows Common Controls that was patched over a year ago (CVE-2012-0158) and multiple former flaws in Microsoft Office that were fixed two years ago (CVE-2010-3333). Like most targeted attacks, it starts with spear-phishing emails using attachments -- in this case, rigged with the Office exploits. "Although these vulnerabilities have been patched by Microsoft, they remain effective and are among the most exploited in targeted attacks," Kaspersky Lab said in its report today on NetTraveler.

The researchers say despite the relatively unsophisticated methods, the campaign still was highly successful against these high-profile victims. Bottom line: their machines weren't patched with the latest Microsoft updates.

"We found more than a handful of victims that were infiltrated by both the Red October and NetTraveler threat actors simultaneously. Where we may have suspected that it happened infrequently, we have concrete data that there are multiple high value targets that cannot adequately defend themselves -- they are easy picking for threat actors and should not be," Kaspersky's Baumgartner says.

[Operation Hangover signals new franchise model in cyberespionage with cyberspying services for hire. See 'Commercialized' Cyberespionage Attacks Out Of India Targeting U.S., Pakistan, China, And Others .]

"That's a vulnerability management issue," says Lawrence Orans, research director for Gartner. "Those Microsoft Office patches had been out there for [at least] a year, and all they had to do was patch it ... It comes down to poor processes."

Kaspersky found more than 22 gigabytes of stolen data on some of NetTraveler's 30 command and control servers, including file system listings, key logs, PDFs, Excel spreadsheets, Word documents, and other files. The NetTraveler malware also can be used to install custom tools that target computer-aided design (CAD) files and application configuration information, for example.

Among the topics of interest for the NetTraveler APT group are space exploration, nanotechnology, energy production, nuclear power, laser technology, medicine, and communications. Mongolia (29 percent), Russia (19 percent), India (11 percent), and Kazakhstan (11 percent) had the most victims, and infected targets were also found in the U.S., Canada, UK, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Mongolia, Iran, Turkey, Pakistan, South Korea, Thailand, Qatar, Kazakhstan, and Jordan.

Some 32 percent of the victims were in the diplomacy realm; 19 percent, government; 11 percent, private; and 9 percent, military.

The full Kaspersky Lab report on NetTraveler is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights