Kaspersky Lab's Global Research and Analysis Team announced last Thursday (Aug 20) the discovery of Blue Termite - a cyber espionage campaign that has been targeting hundreds of organisations in Japan for the past two years, and still active today.
In October 2014, Kaspersky Lab researchers encountered a new malware sample, which turned out to be only a small part of the large and sophisticated cyber espionage campaign.
Health insurance services and the Japan Pension Service are found to be the key targets. Other targeted industries also include governmental organisations, heavy industries, financial, chemical, satellite, media, educational organisations, medical and the food industry.
To infect their victims, Blue Termite operators utilised several techniques. Before July 2015, they mostly used the tactic of spear-phishing emails - sending malicious software as an attachment to an email message with content, which would be likely to attract a victim.
In July however, the operators changed their tactics and started to spread the malware via a zero-day Flash exploit (CVE-2015-5119, the exploit which was leaked by The Hacking Team incident earlier this summer). The implementation of a zero-day exploit led to a significant spike in the infection rate registered by Kaspersky Lab detection systems in the middle of July.
The Blue Termite attackers have compromised several Japanese websites so that visitors of the sites would automatically download an exploit once they are on the website and would become infected. This is referred to as a drive-by-downloads technique.
One of the compromised websites belonged to a prominent member of the Japanese government. Another contained a malicious script that would filter out visitors from all IPs, except one belonging to a specific Japanese organisation. In other words, only chosen users would get the malicious payload.
After a successful infection, a sophisticated backdoor is deployed on a targeted machine. The backdoor is capable of stealing passwords, downloading and executing additional payload, retrieving files and more.
Interestingly, each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor. According to Kaspersky Lab researchers, this has been done in order to make it difficult for security researchers to analyse the malware and to detect it.
With regards to the identity of the attackers, Kaspersky Lab has noted that the graphic user interface of the Command and Control server as well as some technical documents related to the malware used in the Blue Termite operation are written in Chinese. This could mean that actors behind the operation speak this language.
"Although Blue Termite is not the first cyber espionage campaign to target Japan, it is the first campaign known to Kaspersky Lab, to be strictly focused on Japanese targets. In Japan it is still a problem," said Suguru Ishimaru, Junior Researcher at Kaspersky Lab.
Sign up for CIO Asia eNewsletters.