Photo - Costin Raiu, Director of Global Research and Analyst Team, Kaspersky Lab.
In 2014, Kaspersky Lab monitored two cyberespionage groups Hellsing and Naikon engaging each other in a new criminal cyberactivity behaviour while the Hellsing malware was detected attacking government and diplomatic organisations mainly in Malaysia and the Philippines followed by India, Indonesia and the U.S., said the Russian security solutions firm.
Kaspersky Lab's director of global research and analyst team, Costin Raiu said this "was a rare and unusual example of one cybercriminal attacking another," which was discovered researching into the activity of Naikon, a cyberespionage group, which like Hellsing, also targeted organisations in the Asia-Pacific region.
One of Naikon's targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment, said Raiu. This attack was by Hellsing, a "small and technically unremarkable cyberespionage group targeting mostly government and diplomatic organisations in Asia, and had been subjected to a spear-phishing attack by another threat actor and decided to strike back."
He said Kaspersky Lab believed that this could signal the beginning of a new trend in criminal cyberactivity, called "the APT wars." The method of counter-attack showed that Hellsing wanted to identify the Naikon group and gather intelligence on it.
Raiu added that deeper analysis of the Hellsing threat actor revealed a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organisations. On opening the malicious attachment, the victim's system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself.
Empire Strikes Back
The number of organisations targeted by Hellsing was close to 20, he said, adding that Kaspersky Lab has so far detected and blocked the Hellsing malware in Malaysia, the Philippines, India, Indonesia and the US, with most of the victims located in Malaysia and the Philippines. The attackers are focused on government and diplomatic organisations."
"The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting - 'Empire Strikes Back' style, is fascinating," added Raiu. "In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack."
The Hellsing threat actor has been active since at least 2012 and remains active, he said, and recommended the following best practices:
- Don't open suspicious attachments from people you don't know
- Beware of password protected archives which contain SCR or other executable files inside
- If you are unsure about the attachment, try to open it in a sandbox
- Make sure you have a modern operating system with all patches installed
- Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader.
More information on the Hellsing attack vector can be found at securelist.com
Sign up for CIO Asia eNewsletters.