SAN FRANCISCO -- RSA CONFERENCE 2012 -- Dell SecureWorks pulled the covers off of a cyber-espionage operation that compromised as many as 200 computers – many belonging to government ministries in Vietnam, Brunei and Myanmar.
The company discussed the research at the RSA Conference in San Francisco this week. Besides government ministries, other victims included a newspaper and more than one petroleum company. In a lengthy report posted here, SecureWorks revealed the attackers used pieces of malware tied to attack on EMC’s RSA security division in 2011, as well as the infamous GhostNet case. In addition to the victims mentioned above, there will also a handful of compromises in Europe and the Middle East. Like the other infected machines, these computers belonged to government agencies, businesses and even an embassy.
The two pieces of malware at the center of the attacks are known as ‘Enfal’ (aka the “Lurid Downloader”) and “RegSubsDat’, which was first identified in 2009. Between 2004 and 2011, someone using the email address firstname.lastname@example.org registered several domains using the names ‘Tawnya Grilth’ and ‘Eric Charles.’ All of the ‘Tawnya Grilth’ domains showed the registrant's physical address to be a post office box in the fictional town of “Sin Digoo, California.”
In 2006 and 2007, a number of domains registered by email@example.com using the name ‘Tawnya Grilth’ appeared on reports published by automated malware analysis systems and antivirus websites. After an analysis, SecureWorks determined the domains were involved in a larger pattern of espionage activity.
Joe Stewart, director of malware research at SecureWorks, told SecurityWeek that the targets suggest the person was working on behalf of a government or entity that wants confidential information, but there was nothing to definitely prove whoever is behind the attacks is working for a particular country.
“Clearly they are not stealing for themselves,” he said.
Following further leads provided an interesting twist – the email account used in the attacks was also used to register a site called socialup.net, which offers blackhat search engine optimization (SEO) services. In addition, the name Tawnya has been observed being used by someone promoting the site on message boards. This suggests that in addition to cyber-espionage, the person at the center of the activity may also be moonlighting in the cyber-underworld with a blackhat SEO business.
Stewart said researchers sink-holed the command and control servers, severing the attacker’s control of the infected computers. This is not the first time Vietnam has been in the bull’s eye of attackers looking to steal political information. In 2010 for example, Google and McAfee reported evidence of a politically-motivated malware campaign targeting critics of a Chinese-backed mining operation in Vietnam.
Still, Stewart called the cluster of victims surprising.
“We’ve seen APT [advanced persistent threat] activity targeted at Japan…there’s certainly been a pattern of activity against Taiwan, but these countries here – (they) weren’t at the top of my list,” he said.
Related Reading: RSA Confernce 2012 Session On Cyber War and Industrial Espionage