March 18, 2015
Kaspersky Lab has found that nation-state-sponsored cyber espionage is becoming more sophisticated, targeting carefully defined users and using complex modular tools, and keeping itself hidden from increasingly efficient detection systems.
This new trend was confirmed during a detailed analysis of the EquationDrug cyber espionage platform. Kaspersky Lab specialists found that after growing industry success in exposing advanced persistent threat groups (APTs), more sophisticated threat actors are now focusing on increasing the number of components in their malicious platform to call less attention and increase your stealth.
The latest platforms are now made up of many plug-in modules that allow you to select and perform a wide range of functions, depending on your purpose and the information they contain. Kaspersky Lab estimates that EquationDrug includes 116 different plugins.
Attacking nation-states seek better stability, invisibility, reliability and universality in their cyber espionage tools. They are focused on creating infrastructures that wrap such code in something that can be customized in living systems and that provide a secure way to store all components and data in an encrypted form, inaccessible to regular users ”, explains Costin Raiu, Director of the Team of Kaspersky Lab Global Research and Analysis “The sophistication of the infrastructure makes this type of actor different from traditional cybercriminals, preferring to focus on the payload and capabilities of malware that are designed for direct financial gain.”
Other ways these attacking nation-states differentiate their tactics from traditional cybercriminals include:
Scale. Traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, while nation-state actors prefer highly targeted surgical attacks, infecting only a handful of selected users.
Individual approach. While typical cybercriminals repeatedly use publicly available source code such as the Zeus or Carberb Trojans, nation-state actors build unique and custom malware, and even implement restrictions that prevent decryption and execution outside of the target computer.
Extraction of valuable information. Cybercriminals generally try to infect as many users as possible. However, they don’t have the time or storage space to manually review all the infecting machines and find out who the owners are, what kind of data they have stored, and what kind of software they are running – and then transfer and potentially store all the data. interesting
As a result, they encode all-in-one malware that will extract only the most valuable data such as passwords and credit card numbers from victims’ machines – an activity that will quickly catch the eye of any installed security software.
On the other hand, the attacking nation-states have the resources to store all the data that is necessary. To avoid attention and stay invisible to security software, they try to avoid infection from random users and instead rely on a generic remote system administration tool that can copy whatever information they might need and in any quantity. However, this could work against you as the mobilization of large amounts of data could make the network connection very slow and arouse suspicions.
“It may seem unusual that a cyber espionage platform as powerful as EquationDrug does not provide the ability to steal your Skype or ICQ password as standard in its malware core. The answer is that they prefer to copy a whole database and do the parsing on the server side. Only if they have chosen to actively monitor you and the security products on their machines have been disarmed, will you receive a plugin to track your conversations live. We believe this will become an extraordinary trademark of attacking nation-states in the future, ”concludes Costin Raiu.
EquationDrug is the leading spy platform developed by the Equation Group. It has been in use for more than a decade although it is now largely replaced by the even more sophisticated GrayFish platform. The trends in tactics confirmed by the EquationDrug analysis were first observed by Kaspersky Lab during its investigation of the Careto and Regin cyber espionage campaigns, among others.
Image © alphaspirit via ShutterstockAndrey_Popov / Gil C / Shutterstock.com
[+] Videos de nuestro canal de YouTube