Hellsing APT Strikes Back After Being Targeted by the Naikon Group
A small cyber espionage group might have remained under the radar, but their activities were exposed when they decided to retaliate against an attack launched by a different advanced persistent threat (APT) group.
Researchers at Kaspersky Lab were investigating Naikon, one of the most active threat groups in Asia, when they came across the activities of a different actor which they have dubbed “Hellsing.”
Naikon, a group known for its use of the RARSTONE backdoor, has targeted organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.
Just days after the Malaysia Airlines Flight 370 (MH370) disappeared last year, Naikon started targeting various government organizations in countries that had been involved in the search for the missing airplane. The attackers used spear-phishing emails containing documents designed to exploit Microsoft Word vulnerabilities in order to deliver a backdoor.
One of these emails was sent to an organization where the recipient questioned the legitimacy of the message. The target asked the sender (Naikon) to confirm that they had sent the email. Members of Naikon, who were apparently familiar with the targeted government agency’s internal structure, attempted to convince the recipient that the email was legitimate.
However, the target wasn’t convinced and didn’t open the malicious document, Kaspersky said. Furthermore, after a while, it sent its own spear phishing email, containing its own malware, to Naikon.
The group that decided to strike back has been dubbed “Hellsing” by Kaspersky Lab based on some debug information found by researchers in one of the malware samples. Hellsing, which has been active since at least 2012, has mainly targeted government organizations in Malaysia, Indonesia and the Philippines. Some targets have also been identified in the United States and India.
The APT actor has been using spear-phishing emails to deliver malware to victims’ computers. Based on command and control (C&C) server information gathered by Kaspersky, it’s possible that some of the victims are the Malaysian Ministry of Tourism and Culture, the Malaysian Maritime Enforcement Agency, and the Malaysian National Sports Council.
Researchers have determined that some of the infrastructure used by Hellsing overlaps with the infrastructure of other groups, such as PlayfullDragon (Gref), Cycldek (Goblin Panda), and Mirage (Vixen Panda).
Since APT attribution is a difficult task, Kaspersky has avoided pointing the finger at anyone. However, the company has noted that the name Hellsing, which appears to be the internal name used by the threat actor for one of its projects, could stem from a Japanese manga series.
Researchers have also determined that the malware samples used by the group have been compiled by someone in the GMT +8 or +9 time zones, assuming that they were compiled during regular working hours.
“The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting- ‘Empire Strikes Back’ style, is fascinating,” said Costin Raiu, director of Kaspersky’s Global Research and Analysis. “In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack.”