The Chronicles of Hellsing: a Spy vs Spy Story
LONDON, April 15, 2015 /PRNewswire/ --
Kaspersky Lab has recorded a rare and unusual example of one cybercriminal attacking another. In 2014, Hellsing, a small and technically unremarkable cyberespionage group targeting mostly government and diplomatic organisations in Asia, was subjected to a spear-phishing attack by another threat actor and decided to strike back. Kaspersky Lab believes that this could mark the emergence of a new trend in criminal cyber activity: the APT wars.
The discovery was made by Kaspersky Lab experts during research into the activity of Naikon, a cyberespionage group also targeting organisations in the Asia-Pacific region. The experts noticed that one of Naikon's targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment.
The target questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter the target forwarded to the sender an email containing the target's own malware. This movement triggered Kaspersky Lab's investigation and led to the discovery of the Hellsing APT group.
The method of counter-attack indicates that Hellsing wanted to identify the Naikon group and gather intelligence on it.
Deeper analysis of the Hellsing threat actor by Kaspersky Lab reveals a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organisations. If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself. According to Kaspersky Lab's observations, the number of organisations targeted by Hellsing is close to 20.
Hellsing Targets
The company has detected and blocked Hellsing malware in Malaysia, the Philippines, India, Indonesia and the US, with most of the victims located in Malaysia and the Philippines. The attackers are also very selective in terms of the type of organisations targeted, attempting to infect mostly government and diplomatic entities.
"The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting, "Empire Strikes Back" style, is fascinating. In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," said Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab.
According to Kaspersky Lab analysis, the Hellsing threat actor has been active since at least 2012 and remains active.
Protection
To protect against Hellsing attacks, Kaspersky Lab recommends the following basic security best practices:
- Don't open suspicious attachments from people you don't know
- Beware of password protected archives which contain SCR or other executable files inside
- If you are unsure about the attachment, try to open it in a sandbox
- Make sure you have a modern operating system with all patches installed
- Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader.
Kaspersky Lab products successfully detect and block the malware used by both the Hellsing and Naikon actors.
To learn more about the Hellsing threat actor and the Empire Strikes Back espionage campaign go to Securelist.com
About Kaspersky Lab
Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide. Learn more athttp://www.kaspersky.co.uk..
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report "Worldwide Endpoint Security 2014-2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.
Editorial contact:
Berkeley PR
Lauren White
kasperskylab@berkeleypr.co.uk
Telephone: +44(0)118-909-0909
1650 Arlington Business Park
RG7 4SA, Reading
Kaspersky Lab UK
Stephanie Fergusson
Stephanie.Fergusson@kasperskylab.co.uk
Telephone: +44(0)7714107292
2 Kingdom Street
W2 6BD, London
Share this article