APT attacks use 'news of doomed flight MH370'

A series of advanced cyber attacks have used the lure of news about the disappearance of Malaysia Airlines flight MH370 to infiltrate nation-state and other targets, according to FireEye.

APT attacks use 'news of doomed flight MH370'
APT attacks use 'news of doomed flight MH370'

In a 24 March blog post, FireEye researchers Ned Moran and Alex Lanstein tracked at least six such spear phishing attacks between 9 and 18 March, all based on emails that promised news about the doomed plane.

One campaign, from known cyber espionage group ‘admin@338', successfully targeted “a government in the Asia-Pacific region” and a “prominent US-based think tank” on 10 and 14 March, using the Poison Ivy RAT (remote access tool) and WinHTTPHelper malware. Admin@338 is described by FireEye as a campaign group active since 2008 that mostly targets the financial services industry, as well as telecoms, government and defence organisations.

The two researchers record further MH370-themed attacks this month from other threat groups, using a mix of established and new APT Trojans named as ‘Naikon', ‘Plat1', ‘Mongall/Saker', ‘Tranchulas' and ‘Page'. The first attack was launched on 9 March, one day after the plane went missing.

They describe a series of campaigns using decoy documents such as Flash videos, PDF, Word and Office documents, and often linking back to command servers used in previous attacks – all with the common hook of the Malaysia Airlines plane.

The blog even records basic errors in the campaigns, such as in one case auto-starting the malware payload from a disk directory that doesn't exist until Windows 7. Despite that, the APT groups involved “convinced the targets to open a malicious attachment”, it says.

The report underlines the continuing success of spear phishing-led campaigns in penetrating even high-level cyber espionage targets.

Jason Steer, director of technology strategy for FireEye EMEA, told SCMagazineUK.com: “Spear phishing is successful, almost guaranteed. The reason is that, from an organisation's perspective if you've got a team of 50 people who are a target, one of them eventually is going to open something, the odds are stacked against them. It costs nothing to send but it costs an awful lot to detect and combat.”

Security expert James Moore, senior consultant at UK-based MWR Information Security, agreed adding: “If you were to ask me, based on several years of penetration testing experience, what the easiest method of getting into an organisations network is - it'd still be spear phishing every time,” he told SCMagazineUK.com.

“In terms of APT attacks, spear phishing attacks are still commonly employed because of their effectiveness. It isn't uncommon for us to see 80 percent-plus of the employees we target in a phishing assessment click on links or open malicious attachments.”

FireEye's blog warns: “Spear phishing via email-based attachments or links to zip files remain popular with many threat actors, especially when paired with lures discussing current media events. Network defenders should incorporate these facts into their user-training programmes and be on heightened alert for regular spear phishing campaigns, which leverage topics dominating the news cycle.”

Moore added: “There are several approaches firms can take to reduce their risk from phishing attacks. First we recommend they perform regular phishing assessments to maintain a heightened state of employee awareness and to track levels of susceptibility. We also recommend security awareness training to help further reduce employees susceptibility to spear phishing attacks and improve their ability to respond to attacks in the correct manner, which in turn facilitates a more effective response from internal security teams.”

Last October, FireEye found admin@338 attacking the Central Bank of a Western European government, an international organisation involved in trade, economic and financial policy, a US-based think tank and a high-ranking government official for a country in the Far East.