An international group of criminals, dubbed "Inception" by the security firm that uncovered them, has been carrying out a sophisticated cyber espionage campaign directed primarily at companies in Russia or with interests in that country.
Targets of the group’s campaign include top executives in companies from the oil, finance, and engineering sectors, as well as military, government, and embassy officials from several countries, security firm Blue Coat Labs said in a report released Wednesday. Companies in Russia, Romania, Venezuela, and Mozambique and embassies and diplomatic offices in Paraguay, Romania, and Turkey have been hit by the group’s expanding campaign.
The operational security, code samples, obfuscation tactics, and misdirection used by members of Operation Inception are among the most sophisticated that Blue Coat has observed, says Waylon Grange, senior malware researcher with Blue Coat. Also interesting is its use of malware tools targeting Android, iOS, and BlackBerry mobile devices, he says.
Kaspersky Lab, meanwhile, today said Inception appears to be a new version of Red October. In a blog post today, Kaspersky dubbed the campaign as Cloud Atlas. “Just like with Red October, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN),” the company said. Companies in Belarus, Kazakhstan, and India also appear to be major targets.
“Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years,” Kaspersky said.
The group behind Inception typically uses malware embedded in Rich Text Format (RTF) files to infect victim PCs and notebooks, Blue Coat said. The malware is delivered via highly customized spear phishing emails with an attached Trojanized Word document containing the malware.
When an unsuspecting victim clicks on the attachment, it opens the expected Word document to avoid raising any red flags. But in the background, the malware exploits a previously known RTF vulnerability to drop two small pieces of code to disk and open a communication link with command-and-control accounts hosted by a free version of Swedish hosting service CloudMe.
The attackers have recently started using Multimedia Messaging Service (MMS) and SMS to send phishing texts and other bait to Android, BlackBerry, and iOS devices belonging to targeted individuals. Blue Coat believes the group has infiltrated the networks of at least 60 providers of mobile services around the world.
“Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name,” Blue Coat said in its report.
Once on a system, the malware gathers information such as the operating system version, computer name, user name, and local IDs, as well as system drive and volume information. All the data that is collected is encrypted and sent to a cloud account via the Web Distributed Authoring and Versioning (WebDAV) format in an apparent attempt to avoid detection by anti-malware tools, the report noted.
“The framework is designed in such a way that all communication after malware infection (i.e. target surveying, configuration updates, malware updates, and data exfiltration) can be performed via the cloud service,” Blue Coat said in its report. Interestingly, each infected machine communicates with its own command-and-control account on the hosted cloud service.
What makes the campaign remarkable is the extent to which the attackers have gone to hide their tracks, Grange says.
The malware, for example, appears designed to know when it is running in a sandboxed environment or has been detected by a security tool. In such instances, it drops a decoy payload, like a previously known advanced persistent threat used by a Chinese group, to try and throw investigators off track, he says. Most of the malicious code executes in memory, and very little is actually written to disk, making the code very hard to detect.
Masking their true identity
The malicious files and code used in the Operation Inception campaign have names and other hints that appear deliberately designed to confuse people about the group and its affiliations.
For instance, some of the comments used in the Android malware are in Hindi, suggesting ties to India; some documents are titled in Spanish, hinting at a Spanish connection; while some strings used in the BlackBerry malware used by the group are in Arabic, pointing to a Middle Eastern link.
Many of the files and data stolen from compromised systems have been stored on CloudMe, a Swedish hosting service that the group has been using as its primary command-and-control infrastructure. The attackers appear to be most active from 8:00 a.m. to 5:00 p.m. in the Eastern Europe time zone, suggesting they are based in that region, though that could be a deliberate ploy to confound investigators as well, Grange says. “They have intentionally put a lot of red herrings in their code and their procedures,” he says, which makes it difficult to say where the group is from or what they are after.
The manner in which the attackers actually communicate with compromised systems belonging to their targets also makes them very hard to track down. The group appears to have taken control of numerous poorly configured home routers in South Korea, which they use to communicate with accounts hosted on CloudMe, which in turn are used to communicate with and task the compromised systems.
Blue Coat has observed the attackers using at least 100 compromised home routers to communicate with their command-and-control infrastructure on CloudMe, Grange says. The system appears set up in such a manner that the routers that are used to talk to the cloud services changes every hour.
“We have seen malware use the cloud before. But never before have seen anyone go to this much trouble,” to hide tracks, he says.
Since July when Blue Coat first started tracking Operation Inception, the group has sent at least 9,000 "tasking" requests to systems that it has managed to break into. The attackers have used the requests to pull information from the compromised systems. While at least some of the information is device-related, it is hard to say what other data the attackers have extracted from their victims, according to Grange.
The Word documents used in the malware campaign resemble those used in the "Rocra" or Red October campaign, Grange notes. First uncovered by Kaspersky Labs in October 2012, the Red October campaign targeted companies in critical sectors in various countries in East Europe and Asia. The group is believed to have extracted terabytes worth of days from computers, mobile phones, and other devices. It was shut down after Kaspersky went live with the details of the operation in January 2013.