Blue Termite APT Targets Japanese Organizations

Kaspersky Lab has analyzed the activities of Blue Termite, an advanced persistent threat (APT) group focusing its efforts on Japanese organizations.

According to the security firm, Blue Termite has been active since at least November 2013. The campaign not only focuses on Japan, but most of the command and control (C&C) servers it uses are located in the country.

Experts say hundreds of organizations have been targeted in this operation over the past two years, including government agencies, universities, public interest groups, financial services firms, banks, news companies, and various organizations from sectors such as automotive, chemical, healthcare, electrical, real estate, food, construction, insurance, transportation, robotics, semiconductors, and information services.

The group is also believed to be responsible for the recently disclosed breach suffered by the Japan Pension Service. The personal details of 1.25 million people were compromised in this attack.

Blue Termite is still active and the number of computers infected by the APT has increased considerably since July, when it started leveraging a Flash Player exploit leaked following the Hacking Team breach. Before the Flash Player exploit (CVE-2015-5119) was published, the cybergang leveraged spear-phishing emails to infect victims.

In July, Blue Termite planted the Hacking Team exploit on several compromised Japanese websites and started delivering its malware via drive-by-download attacks. This change in tactics led to a significant spike in infection rates.

In some cases, the attackers took steps to ensure that only the computers of certain users would get infected with their malware. One of the hacked sites used in the watering hole attacks belonged to a prominent member of the Japanese government. In another case, the group used a script to ensure that only users who visited the compromised website from the IP addresses of a certain Japanese organization would be served the malware.

Blue Termite has been leveraging customized malware of the Emdivi family to steal valuable data from victims. Trend Micro has also analyzed attacks involving Emdivi malware and the Hacking Team Flash Player exploit aimed at organizations in Japan (report from Trend Micro Japan).

“One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor,” Kaspersky said.

As far as attribution is concerned, Kaspersky Lab has determined that the attackers are likely Chinese speakers.

Symantec has also been monitoring this threat group’s activities. In November 2014, the security firm published a report detailing a campaign dubbed “CloudyOmega.” At the time, the attackers had been leveraging a zero-day vulnerability in Ichitaro, a Japanese word processor made by JustSystems, to deliver Emdivi backdoors and other pieces of malware such as PlugX (also known as Korplug and Sogu) and Zxshell.

Symantec reported that the group behind the CloudyOmega attacks had communication channels with the Hidden Lynx gang and the actor behind the 2013 attacks dubbed “LadyBoyle.”

It’s unclear if they are related, but last month FireEye also observed attacks launched by a Chinese APT actor against Japanese organizations. The attackers used a different Hacking Team Flash Player exploit to infect users with a version of the PlugX RAT.