Connect with us

Hi, what are you looking for?



Cyber Espionage Campaign Hits Organizations Around the Globe

Researchers at Trend Micro shined a light on a cyber-espionage campaign that infected nearly 12,000 unique IP addresses spread across more than 100 countries.

Researchers at Trend Micro shined a light on a cyber-espionage campaign that infected nearly 12,000 unique IP addresses spread across more than 100 countries.

Nicknaming the campaign ‘Safe’, Trend Micro uncovered two sets of command-and-control (C&C) infrastructures related to the attacks. First seen in October 2012, Safe went on to compromise government ministries, technology companies, media outlets, academic institutions and other organizations. The largest number of infected parties are in India and the United States.

Trend Micro, in the first release of the report, called this campaign SafeNet. As Steve Ragan points out, shortly after the research was released, the whitepaper was taken offline, and the campaign was renamed to “Safe”, which the threat certainly is not.

“We also discovered that the average number of actual victims remained at 71 per day, with few if any changes from day to day,” according to the report. “This indicates that the actual number of victims is far less than the number of unique IP addresses. Due to large concentrations of IP addresses within specific network blocks, it is likely that the number of victims is even smaller and that they have dynamically assigned IP addresses, which have been compromised for some time now.”

The attack exploited CVE-2012-0158, a Microsoft Word vulnerability patched last year. The first set of C&C servers were tied to just 243 victims, only three of which were “live” at the time of the report. The 243 unique IPs came from 11 different countries, mostly from Mongolia. In those cases, victims were hit with emails containing Tibetan and Mongolian themes, such as one email claiming to have an attachment containing an excerpt of an interview of the Dali Lama.

The report did not describe the emails that hit the other victims. However, logs from the second set of C&C servers showed 11,563 unique IP addresses from 116 different countries checked in to them. More than 4,300 of those were in India.

“One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them,” according to Trend Micro. “As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.”

Advertisement. Scroll to continue reading.

The C&C infrastructures had little in common besides being used in conjunction with the same malware. The researchers were able to piece together enough information to give them an idea of the malware author’s identity – a person they describe in the report as most likely a “professional software developer who studied at a technical university in China.”

“This individual appears to have repurposed legitimate source code from an Internet services company in the same country for use as part of the campaign’s C&C server code,” according to the report. “As such, this may be a case in which a malware entrepreneur’s code was used in targeted attacks.”

“As the tools used in targeted attacks are exposed, attackers may look for new custom malware to circumvent defenses,” the report notes. “As a result, attackers may increasingly look to the cybercriminal underground for new malicious tools instead of developing their own tools for exclusive use. These developments highlight the increasing need for ongoing investigation and monitoring of such threats.”

Updated 2:32 PM to include mention of Trend Micro’s renaming of the attack campaign from SafeNet to Safe.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.