Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Retaliation Attack Leads to Discovery of Hellsing ATP Group

Hellsing APT Strikes Back After Being Targeted by the Naikon Group

A small cyber espionage group might have remained under the radar, but their activities were exposed when they decided to retaliate against an attack launched by a different advanced persistent threat (APT) group.

Hellsing APT Strikes Back After Being Targeted by the Naikon Group

A small cyber espionage group might have remained under the radar, but their activities were exposed when they decided to retaliate against an attack launched by a different advanced persistent threat (APT) group.

Researchers at Kaspersky Lab were investigating Naikon, one of the most active threat groups in Asia, when they came across the activities of a different actor which they have dubbed “Hellsing.”

Naikon, a group known for its use of the RARSTONE backdoor, has targeted organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.

Just days after the Malaysia Airlines Flight 370 (MH370) disappeared last year, Naikon started targeting various government organizations in countries that had been involved in the search for the missing airplane. The attackers used spear-phishing emails containing documents designed to exploit Microsoft Word vulnerabilities in order to deliver a backdoor.

One of these emails was sent to an organization where the recipient questioned the legitimacy of the message. The target asked the sender (Naikon) to confirm that they had sent the email. Members of Naikon, who were apparently familiar with the targeted government agency’s internal structure, attempted to convince the recipient that the email was legitimate.

However, the target wasn’t convinced and didn’t open the malicious document, Kaspersky said. Furthermore, after a while, it sent its own spear phishing email, containing its own malware, to Naikon.

The group that decided to strike back has been dubbed “Hellsing” by Kaspersky Lab based on some debug information found by researchers in one of the malware samples. Hellsing, which has been active since at least 2012, has mainly targeted government organizations in Malaysia, Indonesia and the Philippines. Some targets have also been identified in the United States and India.

Advertisement. Scroll to continue reading.

The APT actor has been using spear-phishing emails to deliver malware to victims’ computers. Based on command and control (C&C) server information gathered by Kaspersky, it’s possible that some of the victims are the Malaysian Ministry of Tourism and Culture, the Malaysian Maritime Enforcement Agency, and the Malaysian National Sports Council.

Researchers have determined that some of the infrastructure used by Hellsing overlaps with the infrastructure of other groups, such as PlayfullDragon (Gref), Cycldek (Goblin Panda), and Mirage (Vixen Panda).

Since APT attribution is a difficult task, Kaspersky has avoided pointing the finger at anyone. However, the company has noted that the name Hellsing, which appears to be the internal name used by the threat actor for one of its projects, could stem from a Japanese manga series.

Researchers have also determined that the malware samples used by the group have been compiled by someone in the GMT +8 or +9 time zones, assuming that they were compiled during regular working hours.

“The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting- ‘Empire Strikes Back’ style, is fascinating,” said Costin Raiu, director of Kaspersky’s Global Research and Analysis. “In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...