Two advanced persistent threat groups attack each other

Apr 15, 2015 08:30 GMT  ·  By

A cyber-espionage group in Asia took an offensive stance when a threat actor of the same feather tried its luck at infiltrating targeted computers via a spear phishing attack.

The attacker, called Naikon by security researchers, is known among security experts as being highly active in Asia, in the South China Sea area in particular.

The area it operates in comprises Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore and Nepal, and one of the tools used is RARSTONE, a backdoor that loads in the memory of the system and does not leave any trace on the disk.

Spear phishing attempt backfires, APT wars begin

In a spear phishing campaign last year, Naikon shot a malware-laced message that reached another advanced persistent threat (APT) group dubbed Hellsing by security researchers at Kaspersky.

After receiving the deceptive email, Hellsing members realized that it was a computer compromise attempt and decided to test the sender, asking for confirmation about sending out the message.

Naikon responded, but the English used was worse than the one of the intended victim, which made the cyber-attack evident. However, Hellsing decided to reply and included a backdoor of its own in the message, in an effort to learn more about the initial attacker.

Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab, believes that this marks the beginning of a new course of events regarding cyber-espionage groups.

“In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack,” he said in a blog post on Wednesday jointly authored with Maxim Golovkin.

Hellsing has been active since 2012, tied to other APT groups

Kaspersky’s research on the Hellsing group revealed that the number of organizations it targeted was around 20 and that its activity focused mainly on government networks in Malaysia, Indonesia, and the Philippines.

Other countries where Hellsing’s tools were detected include the US, where the interest was in diplomatic agencies, and India, where older malware variants were used.

According to the researchers, Hellsing’s activity started since at least 2012, and it is ongoing.

Based on the malware samples analyzed, Kaspersky has determined that the group is engaged in at least three campaigns, whose identifiers are MMEA, NSC, and MOTAC. These initials could stand for Ministry of Tourism and Culture, nsc.gov.my, and the Malaysian Maritime Enforcement Agency.

The two researchers inform that Hellsing is linked to other APT groups such as PlayfullDragon (a.k.a. GREF), Mirage (a.k.a. Vixen Panda) and Cycldek or Goblin Panda. The connection with these actors consists in the use of the same command and control infrastructure and communication protocols.

Hellsing’s activity managed to escape observation mainly because of its limited activity, which could be an advantage for long-term operations. Attacking a larger, well-known APT group is what brought Hellsing in the spotlight.

Project name is Hellsing, forgotten debug info shows
Project name is Hellsing, forgotten debug info shows

Photo Gallery (2 Images)

Countries and organizations of interest for Hellsing group
Project name is Hellsing, forgotten debug info shows
Open gallery