Cyber-Espionage Campaign Hits Government Sites in Asia, Eastern Europe

More than 1,400 computers were compromised in Asia and Eastern Europe in a massive e-mail cyber-attack that hit space agencies and research institutions. But this time China was not implicated.

Researchers have uncovered a series of cyber-attacks targeting government agencies and research institutions around the world. But unlike recent high-profile incidents, China has not been blamed.

Attackers targeted 47 victims including space-related government agencies, diplomatic missions, research institutions and companies located in 61 countries, including Russia, India, Mongolia, Vietnam and the Commonwealth of Independent States (former Soviet Union countries), Trend Micro researchers wrote in a Sept. 22 blog. Trend Micro classified the attack as an advanced persistent threat and said a total of 1,465 computers had been targeted, including the ones belonging to the Russian Federal Space Agency.

Dubbed "Lurid," these attacks do not appear be very different from other recent stealth cyber-campaigns, such as Shady RAT, Aurora and Night Dragon. Employees received malicious emails designed to exploit vulnerabilities in unpatched software, most often Adobe Reader and Microsoft Office, wrote David Sancho and Nart Villeneuve, senior threat researchers at Trend Micro.

The malicious attachments did not always rely upon zero-day vulnerabilities, but used older, reliable exploits going as far back as 2009. The zero-days were saved for "hardened targets," but Trend Micro has not yet come across those emails.

"In total, the attackers used a command and control network of 15 domain names associated with the attackers and 10 active IP addresses to maintain persistent control over the 1,465 victims," Sancho and Villeneuve wrote.

The Enfal malware family has been used to attack government and non-governmental organizations in the United States working with the Tibetan community in the past. However, there appear to be no direct links between this particular attack and the previous ones, Sancho and Villeneuve wrote.

The attacks appear to have started in August 2010 and the malicious emails were sent in "waves." Logfiles intercepted by Trend Micro identified at least 301 waves of discrete mail campaigns because each malware sent back a "marker" to the C&C servers to identify itself. A little over half, or 59 percent, were directed toward unique hosts. Once one machine had been compromised inside an organization, the attackers used it as a jumping-off point to infect other machines on the network.

One version of the malware installed itself as a Windows service and the other version added itself to the Windows start-up routine. The malware also allowed attackers to gain shell access to issue a variety of commands on the compromised system.

In the Lurid campaign, once a system was compromised, attackers used the "Enfal" downloader Trojan to steal spreadsheets, documents and other information. Enfal has been around since at least 2006, but it is not commonly sold on underground criminal forums.

Stolen documents were uploaded to Websites hosted on command-and-control servers located in the United States and the United Kingdom. This doesn't mean the attackers were based in the United States or UK as attackers can hide their tracks by compromising servers anywhere in the world and using tools such as virtual private networks (VPN) to mislead investigators. In recent cyber-attacks, such as "Shady RAT," China was often blamed just because the command-and-control servers appeared to be based in China.

Trend Micro has gained access to the logfiles on the c&c server but did not access the server directly. Nor has it discovered the actual stolen files. A non-governmental organization working on Tibet-related projects submitted the initial malware to Trend Micro for analysis in March.

Trend Micro has notified the Federal Bureau of Investigation and the Metropolitan Police Central eCrime Unit.