Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking

    Cyber-Espionage Campaign Hits Government Sites in Asia, Eastern Europe

    By
    Fahmida Y. Rashid
    -
    September 23, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Researchers have uncovered a series of cyber-attacks targeting government agencies and research institutions around the world. But unlike recent high-profile incidents, China has not been blamed.

      Attackers targeted 47 victims including space-related government agencies, diplomatic missions, research institutions and companies located in 61 countries, including Russia, India, Mongolia, Vietnam and the Commonwealth of Independent States (former Soviet Union countries), Trend Micro researchers wrote in a Sept. 22 blog. Trend Micro classified the attack as an advanced persistent threat and said a total of 1,465 computers had been targeted, including the ones belonging to the Russian Federal Space Agency.

      Dubbed “Lurid,” these attacks do not appear be very different from other recent stealth cyber-campaigns, such as Shady RAT, Aurora and Night Dragon. Employees received malicious emails designed to exploit vulnerabilities in unpatched software, most often Adobe Reader and Microsoft Office, wrote David Sancho and Nart Villeneuve, senior threat researchers at Trend Micro.

      The malicious attachments did not always rely upon zero-day vulnerabilities, but used older, reliable exploits going as far back as 2009. The zero-days were saved for “hardened targets,” but Trend Micro has not yet come across those emails.

      “In total, the attackers used a command and control network of 15 domain names associated with the attackers and 10 active IP addresses to maintain persistent control over the 1,465 victims,” Sancho and Villeneuve wrote.

      The Enfal malware family has been used to attack government and non-governmental organizations in the United States working with the Tibetan community in the past. However, there appear to be no direct links between this particular attack and the previous ones, Sancho and Villeneuve wrote.

      The attacks appear to have started in August 2010 and the malicious emails were sent in “waves.” Logfiles intercepted by Trend Micro identified at least 301 waves of discrete mail campaigns because each malware sent back a “marker” to the C&C servers to identify itself. A little over half, or 59 percent, were directed toward unique hosts. Once one machine had been compromised inside an organization, the attackers used it as a jumping-off point to infect other machines on the network.

      One version of the malware installed itself as a Windows service and the other version added itself to the Windows start-up routine. The malware also allowed attackers to gain shell access to issue a variety of commands on the compromised system.

      In the Lurid campaign, once a system was compromised, attackers used the “Enfal” downloader Trojan to steal spreadsheets, documents and other information. Enfal has been around since at least 2006, but it is not commonly sold on underground criminal forums.

      Stolen documents were uploaded to Websites hosted on command-and-control servers located in the United States and the United Kingdom. This doesn’t mean the attackers were based in the United States or UK as attackers can hide their tracks by compromising servers anywhere in the world and using tools such as virtual private networks (VPN) to mislead investigators. In recent cyber-attacks, such as “Shady RAT,” China was often blamed just because the command-and-control servers appeared to be based in China.

      Trend Micro has gained access to the logfiles on the c&c server but did not access the server directly. Nor has it discovered the actual stolen files. A non-governmental organization working on Tibet-related projects submitted the initial malware to Trend Micro for analysis in March.

      Trend Micro has notified the Federal Bureau of Investigation and the Metropolitan Police Central eCrime Unit.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×