Is APT1 behind the recently uncovered Siesta espionage campaign?

Mar 13, 2014 19:56 GMT  ·  By

Last week, security researchers from Trend Micro published a report on a targeted cyber espionage campaign dubbed “Siesta.” Experts from FireEye say they’ve uncovered a connection between Siesta and the notorious Chinese cyber espionage unit known as APT1.

Siesta targets various industries, including energy, finance, healthcare, telecoms, public administration, defense and transport. The attackers rely on various techniques to infiltrate the targeted organizations, but not all of their tactics are sophisticated.

In a case study, Trend Micro detailed an attack that relied on spear phishing emails designed to trick the executives of a company into installing malware.

The name of the campaign, Siesta, stems from the Spanish word which means “to take a short nap.” That’s because the pieces of malware used in the campaign are designed to receive “Sleep” commands that instruct them to stay idle for a specified number of minutes.

Based on FireEye’s research, the group behind Siesta is either using the same tactics and tools as APT1, or APT1 is actually responsible for these attacks.

FireEye has also analyzed an attack of the Siesta campaign. It was launched on February 20, 2014, against a company in the telecoms sector. The spear phishing emails with links to archives and the callback traffic to legitimate-looking webpages identified in the attack are similar to APT1’s tactics, techniques and procedures.

An import hash from a dropper spotted by Trend Micro has been seen in a number of APT1 attacks, some of them dating as far back as 2011. A portable executable (PE) resource contained in the droppers has been spotted not only in Siesta and APT1 attacks, but also in operations of the “Menupass” group, which is responsible for Poison Ivy campaigns.

“It is unlikely that APT1 and Menupass represent the same group. We have observed no other overlaps in infrastructure or tools between these two groups. A more likely possibility is that the shared resource between APT1 and the Menupass group is a binder tool,” FireEye experts noted.

However, researchers are not so certain that APT1 is not behind the Siesta attacks.

“Although we are not certain that APT1 is responsible for the Siesta activity, this current campaign shares a number of distinct characteristics with previous activity attributed to APT1,” they noted.

“Regardless of which group is responsible for this campaign, our analysis highlights the importance of monitoring for known indicators. As shown above, monitoring for previously disclosed indicators of compromise (IOCs), even IOCs that are years old, can yield value,” FireEye concludes.