Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly

'Inception' Cyber Espionage Campaign Targets PCs, Smartphones

Blue Coat report details sophisticated attacks mainly against Russian targets, and Kaspersky Lab calls new campaign next-generation of Red October cyber spying operation.

An international group of criminals, dubbed "Inception" by the security firm that uncovered them, has been carrying out a sophisticated cyber espionage campaign directed primarily at companies in Russia or with interests in that country.

Targets of the group’s campaign include top executives in companies from the oil, finance, and engineering sectors, as well as military, government, and embassy officials from several countries, security firm Blue Coat Labs said in a report released Wednesday. Companies in Russia, Romania, Venezuela, and Mozambique and embassies and diplomatic offices in Paraguay, Romania, and Turkey have been hit by the group’s expanding campaign.

The operational security, code samples, obfuscation tactics, and misdirection used by members of Operation Inception are among the most sophisticated that Blue Coat has observed, says Waylon Grange, senior malware researcher with Blue Coat. Also interesting is its use of malware tools targeting Android, iOS, and BlackBerry mobile devices, he says.

Kaspersky Lab, meanwhile, today said Inception appears to be a new version of Red October. In a blog post today, Kaspersky dubbed the campaign as Cloud Atlas. “Just like with Red October, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN),” the company said. Companies in Belarus, Kazakhstan, and India also appear to be major targets.

“Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years,” Kaspersky said.

The group behind Inception typically uses malware embedded in Rich Text Format (RTF) files to infect victim PCs and notebooks, Blue Coat said. The malware is delivered via highly customized spear phishing emails with an attached Trojanized Word document containing the malware.

When an unsuspecting victim clicks on the attachment, it opens the expected Word document to avoid raising any red flags. But in the background, the malware exploits a previously known RTF vulnerability to drop two small pieces of code to disk and open a communication link with command-and-control accounts hosted by a free version of Swedish hosting service CloudMe.

Inception exploit container
(Source: Blue Coat)
(Source: Blue Coat)

The attackers have recently started using Multimedia Messaging Service (MMS) and SMS to send phishing texts and other bait to Android, BlackBerry, and iOS devices belonging to targeted individuals. Blue Coat believes the group has infiltrated the networks of at least 60 providers of mobile services around the world.

“Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name,” Blue Coat said in its report.

Once on a system, the malware gathers information such as the operating system version, computer name, user name, and local IDs, as well as system drive and volume information. All the data that is collected is encrypted and sent to a cloud account via the Web Distributed Authoring and Versioning (WebDAV) format in an apparent attempt to avoid detection by anti-malware tools, the report noted.

“The framework is designed in such a way that all communication after malware infection (i.e. target surveying, configuration updates, malware updates, and data exfiltration) can be performed via the cloud service,” Blue Coat said in its report. Interestingly, each infected machine communicates with its own command-and-control account on the hosted cloud service.

What makes the campaign remarkable is the extent to which the attackers have gone to hide their tracks, Grange says.

The malware, for example, appears designed to know when it is running in a sandboxed environment or has been detected by a security tool. In such instances, it drops a decoy payload, like a previously known advanced persistent threat used by a Chinese group, to try and throw investigators off track, he says. Most of the malicious code executes in memory, and very little is actually written to disk, making the code very hard to detect.

Masking their true identity
The malicious files and code used in the Operation Inception campaign have names and other hints that appear deliberately designed to confuse people about the group and its affiliations.

For instance, some of the comments used in the Android malware are in Hindi, suggesting ties to India; some documents are titled in Spanish, hinting at a Spanish connection; while some strings used in the BlackBerry malware used by the group are in Arabic, pointing to a Middle Eastern link.

Many of the files and data stolen from compromised systems have been stored on CloudMe, a Swedish hosting service that the group has been using as its primary command-and-control infrastructure. The attackers appear to be most active from 8:00 a.m. to 5:00 p.m. in the Eastern Europe time zone, suggesting they are based in that region, though that could be a deliberate ploy to confound investigators as well, Grange says. “They have intentionally put a lot of red herrings in their code and their procedures,” he says, which makes it difficult to say where the group is from or what they are after.

The manner in which the attackers actually communicate with compromised systems belonging to their targets also makes them very hard to track down. The group appears to have taken control of numerous poorly configured home routers in South Korea, which they use to communicate with accounts hosted on CloudMe, which in turn are used to communicate with and task the compromised systems.

Blue Coat has observed the attackers using at least 100 compromised home routers to communicate with their command-and-control infrastructure on CloudMe, Grange says. The system appears set up in such a manner that the routers that are used to talk to the cloud services changes every hour.

“We have seen malware use the cloud before. But never before have seen anyone go to this much trouble,” to hide tracks, he says.

Since July when Blue Coat first started tracking Operation Inception, the group has sent at least 9,000 "tasking" requests to systems that it has managed to break into. The attackers have used the requests to pull information from the compromised systems. While at least some of the information is device-related, it is hard to say what other data the attackers have extracted from their victims, according to Grange.

The Word documents used in the malware campaign resemble those used in the "Rocra" or Red October campaign, Grange notes. First uncovered by Kaspersky Labs in October 2012, the Red October campaign targeted companies in critical sectors in various countries in East Europe and Asia. The group is believed to have extracted terabytes worth of days from computers, mobile phones, and other devices. It was shut down after Kaspersky went live with the details of the operation in January 2013. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
12/10/2014 | 2:57:00 PM
Another wave of threats, what else is new...
It's increasingly worrisome to see how advanced some of these attacks get, whereby they can even drop payloads if it thinks they have been found by internal security systems.  On top of this, with not enough enterprises properly protecting smartphone devices aside from loss protection and remote wipe, these attacks can definitely be assumed to cause significant potential damage to internal systems.  Great news to see that these threats are getting better detection and insight to help provide tools to protect users and businesses from these risks.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...