Two APT tribes go to war

Two cyber-espionage groups break cover to fire loaded emails at each other.

Two APT tribes go to war
Two APT tribes go to war

Kaspersky Lab claims to have identified a new trend in cyber-espionage – one group attacking another. Could it be a sign of competition for a shrinking pool of resources among the groups which perpetrate APT attacks?

Kaspersky Lab described the incident as a rare and unusual example but nonetheless speculated that it could be the start of a new trend in cyber-criminal activity that it has dubbed the APT wars.

Jen Weedon, manager of threat intelligence at FireEye told SCMagazineUK.com: “Kaspersky's report raises interesting questions about how APT groups can trip over each other when competing for limited resources. The targeted activity their report outlines against Southeast Asian governments, similar to those APT30 pursues, again underlines the importance of that region for threat actors looking to steal political intelligence.”

Meanwhile, Cedric Pernet, senior threat researcher at Trend Micro and noted expert on APTs, commented: “While this story is fascinating, I am not sure this is the beginning of a new trend... APT groups have a huge interest in staying under the radar... so I do not expect many groups to act like Hellsing.” He speculated that a government entity could have directed Hellsing to attack Naikon in retaliation for a phishing campaign.

However, Kaspersky's interpretation of the incident is that it was tit for tat retaliation, involving the exchange of spear-phishing emails between the two groups.

Kaspersky, which was previously unaware of Hellsing, was alerted to its existence while investigating the activities of Naikon, a prolific cyber-espionage group which targets organisations in the Asia-Pacific region.

Naikon had launched a spear-phishing attack against an email address which turned out to belong to a rival group which Kaspersky later dubbed Hellsing. The Hellsing group – a small and “technically unremarkable” cyber-espionage group targeting government and diplomatic organisations in Asia – questioned the authenticity of the email with the sender.

The reply from the sender failed to convince Hellsing of its authenticity so Hellsing launched a counter-strike against Naikon in an apparent attempt to learn more about the group.

The payload of the spear-phishing email was a custom backdoor capable of downloading and uploading files, updating and uninstalling itself. While it failed to infect Naikon, Kaspersky's analysis indicates that around 20 organisations worldwide have been targeted by Hellsing.

Hellsing is very selective in terms of the type of organisations targeted, attempting to infect mostly government and diplomatic entities. Kaspersky said it has detected and blocked Hellsing malware in Malaysia, the Philippines, India, Indonesia and the US.

Costin Raiu, director of global research and analyst team at Kaspersky Lab, said: “The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting-‘Empire Strikes Back' style, is fascinating. In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack.”

Weedon added: “When a target is considered so valuable, it's not surprising that many different actors (perhaps even working for the same ultimate boss) are simultaneously trying to steal the same information. Naturally they might encounter each other, and their mutual interests could result in some competition.”

Pernet believes the fight between two APTs provides a rare glimpse into their methods of operation. “If one group really wants to attack another, they can try to compromise it and destroy what they can, or reveal information about the group and its targets, or DDoS its infrastructure. But once again, one of the priorities for most APT groups is to stay undetected, so I do not think this kind of fight will happen often.”

Brian Honan, managing director and consultant at BH Consulting, told SC that he was not surprised by the news.

“I am not surprised to hear of this development and it is something I predicted happening a while ago,” he said via email. “Criminals are looking to the internet as a low risk high gain way for them to generate revenue. As in real life we will see turf wars develop online as criminal gangs look to expand their capacity, reach, and influence which will result in online turf wars developing. 

“These online turf wars will happen as criminals compete to target specific groups or types of victims. In other cases one criminal gang may look to take over a particularly lucrative botnet or cyber-crime infrastructure operated by a rival gang. Finally, there will be criminal gangs, or political motivated groups, who will look to attack rival gangs for financial, political, or nationalistic motives.

“As with criminal turf wars in the physical world organisations need to be careful they do not become unwitting victims or become collateral damage from these online turf wars.”