Waterbug APT group hacked another APT to carry out attacks

News by Rene Millman

Hackers used leaked NSA tools and hijacked another hacking group's infrastructure to attack government organisations in the Middle East and beyond

The Waterbug APT group is using a new toolset and hijacked another hacking group’s infrastructure in order to carry out attacks on a number of government organisations in the Middle East and beyond.
According to a blog post by security researchers at Symantec, the Waterbug group has carried out three attacks that combined several new backdoors while also using infrastructure that is thought to belong to another hacking group.
One campaign involved a new and previously unseen backdoor called Neptun (Backdoor.Whisperer). Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers. 
"This passive listening capability makes the malware more difficult to detect. Neptun is also able to download additional tools, upload stolen files, and execute shell commands," said researchers.
Researchers said that one attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus (aka OilRig, APT34).
A second campaign used Meterpreter, a publicly available backdoor along with two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor. 
The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe.
Researchers said that the hackers have also followed the current shift towards "living off the land," making use of PowerShell scripts and PsExec, a Microsoft Sysinternals tool used for executing processes on other systems.
These three recent Waterbug campaigns have seen the group compromise governments and international organisations across the globe in addition to targets in the IT and education sectors. Since early 2018, Waterbug has attacked 13 organizations across 10 different countries, according to researchers.
These attacks targeted ministries, IT organisations, and government agencies in the Middle East, South Asia, Europe, and Latin America.
The researchers said that this was the first time they had  observed one targeted attack group seemingly hijack and use the infrastructure of another group. 
"However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown," they said.
"Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape."
Jake Moore, cybersecurity specialist at ESET, told SC Media UK that by using a flaw that is already exploited, it can sometimes make it easier to further take advantage. 
"There is always a chance of there still being a backdoor left untouched and vulnerable. However, there are simple steps that should be enforced and although they most likely will be enforced heavily, it is always good practice to double check at times like these, especially if you are one of the intended targets," he said.
Boris Cipot, senior security engineer at Synopsys, told SC Media UK that the best thing is to first follow the advice of security companies; search for every possible fragment of signatures that have been discovered so far and block the connections to any advised command and control servers the malware is connecting to.
"Also make sure that you are tracking for weird behaviour on your network, such as unusual uploads or data packages being delivered. Block RDP and other remote connection channels and check and amend all the needed security best practices for RDP," he said.
"There are many different procedures one has to follow and in this case it might be good to check all."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop