Targeted spear phishing campaign targets governments, law enforcement

Kaspersky Lab claims to have identified a highly targeted spear phishing campaign that picks on high profile victims - including government, military, law enforcement agencies and embassies.

Targeted spear phishing campaign targets governments, law enforcement
Targeted spear phishing campaign targets governments, law enforcement

The Machete campaign, as it is known, has been running for at least four years and has hit more than 770 victims, says the security firm.

So far, most of the victims have been located in South America, most notably Columbia, Ecuador and Venezuela - although small numbers of victims have been noted in Cuba, Peru, Spain and Russia, suggesting that that the campaign is now spreading across the Atlantic to Europe.

Rather than extra revenue from the users' accounts, however, Kaspersky says that Machete's aim is to exfiltrate valuable data from the organisations of the targeted individuals, something that Dmitry Bestuzhev, head of Kaspersky's global research and analysis operation in Latin America, says suggests it may be part of an APT (Advanced Persistent Threat) campaign.

“Despite the simplicity of the tools used in this campaign, the results show it was very effective. It looks like threat actors in Latin America are adopting techniques of APT campaigns seen around the world. We expect local cyber-espionage campaigns to reach increased levels of technological sophistication, and it is likely that new APT campaigns will be similar, from a technical point of view, to the top players worldwide," he said.

Kaspersky Lab says that the Machete campaign - which is based on Spanish code and allied software - started in 2010 and was updated with a renewed infrastructure in 2012.

The attackers, says the security vendor, have used social engineering techniques to distribute the malware. In some cases, they used spear-phishing messages combined with Web-based infections spread through especially prepared fake blogs.

Once infected, victim's computers were found to be copying files to a remote server or USB device if inserted, as well as the hijacking of clipboard content plus key logger data. Other data exfiltration, meanwhile, centres on the computer microphone audio capture, the taking of screenshots and obtaining geo-location data from the PC concerned.

One interesting feature of the program code, is that the cyber-criminals appear to be using Python language code compiled into Windows executable files.

Bestuzhev's team suggest that the attackers may have prepared parallel infrastructures for OSX and Unix victims, and a mobile component for Android may also have been developed.

Nation state attack?

Troy Gill, manager of security research with AppRiver, said that Machete is good example of the current - and complex - state of cyber-espionage.

"The origin of this attack is still not known but given the targets it would be safe to assume it was initiated by a nation state or some group acting on their behalf. Machete is interesting in its design and its longevity. But this is likely just the tip of the iceberg when it comes to these types of advanced espionage attacks," he said, adding that we simply don't know what types of cyber-weapons - such as Machete - that each nation is capable of deploying, which is what makes this situation so alarming. 

“In this day and age, there are a staggering amount of cyber-attacks going on between nations for purposes of intelligence gathering, military advantages and technology theft. It is well known that China for example, is engaged in these types of attacks against the US and other nations on a daily basis but of course they are not alone in their efforts so it is not surprising to a complex attack like this from another source.

“Of course it is quite difficult for entities to protect themselves from attacks of this nature since it is so unclear just exactly what it is they are trying to protect themselves against and there is not any single solution. It is however, always preferable to block these attacks at the infection level and in this case that appears to have been a spear phishing email and/or infected website," he said.

"If something slips through the cracks at the email or web level, then you need to rely on you organisation's ability to detect abnormalities in data leaving your network," he added.

According to Dr Guy Bunker, senior vice president of Clearswift, it is important to note that Python is just a language, but one that is extremely flexible.

Because of this, he says, creating a framework in Python will probably mean that the reuse and re-purposing of the malware will be easier in the future.

"As with all malware, especially ones which are going after information there are things which act as pointers to the infection. Not least that the information has to leak to somewhere. There were (are) multiple domains associated with the malware which can be monitored and blocked," he said.

"Of course, the other major piece of detection to prevent the cyber-attackers from succeeding is to detect and prevent the transfer of information," he added.

Bunker went on to say that this means that data loss prevention can be used to block - or to redact out - critical information - and alert the IT department of a potential breach.

They can then, he says, take action to determine if there is an infection and then to eradicate it.