Security Experts:

Connect with us

Hi, what are you looking for?



SecureWorks Uncovers Cyber Espionage Targeting Southeast Asia

SAN FRANCISCO — RSA CONFERENCE 2012 — Dell SecureWorks pulled the covers off of a cyber-espionage operation that compromised as many as 200 computers – many belonging to government ministries in Vietnam, Brunei and Myanmar.

SAN FRANCISCO — RSA CONFERENCE 2012 — Dell SecureWorks pulled the covers off of a cyber-espionage operation that compromised as many as 200 computers – many belonging to government ministries in Vietnam, Brunei and Myanmar.

The company discussed the research at the RSA Conference in San Francisco this week. Besides government ministries, other victims included a newspaper and more than one petroleum company. In a lengthy report posted here, SecureWorks revealed the attackers used pieces of malware tied to attack on EMC’s RSA security division in 2011, as well as the infamous GhostNet case. In addition to the victims mentioned above, there will also a handful of compromises in Europe and the Middle East. Like the other infected machines, these computers belonged to government agencies, businesses and even an embassy.

Cyber Espionage The two pieces of malware at the center of the attacks are known as ‘Enfal’ (aka the “Lurid Downloader”) and “RegSubsDat’, which was first identified in 2009. Between 2004 and 2011, someone using the email address [email protected] registered several domains using the names ‘Tawnya Grilth’ and ‘Eric Charles.’ All of the ‘Tawnya Grilth’ domains showed the registrant’s physical address to be a post office box in the fictional town of “Sin Digoo, California.”

In 2006 and 2007, a number of domains registered by [email protected] using the name ‘Tawnya Grilth’ appeared on reports published by automated malware analysis systems and antivirus websites. After an analysis, SecureWorks determined the domains were involved in a larger pattern of espionage activity.

Joe Stewart, director of malware research at SecureWorks, told SecurityWeek that the targets suggest the person was working on behalf of a government or entity that wants confidential information, but there was nothing to definitely prove whoever is behind the attacks is working for a particular country.

“Clearly they are not stealing for themselves,” he said.

Following further leads provided an interesting twist – the email account used in the attacks was also used to register a site called, which offers blackhat search engine optimization (SEO) services. In addition, the name Tawnya has been observed being used by someone promoting the site on message boards. This suggests that in addition to cyber-espionage, the person at the center of the activity may also be moonlighting in the cyber-underworld with a blackhat SEO business.

Stewart said researchers sink-holed the command and control servers, severing the attacker’s control of the infected computers. This is not the first time Vietnam has been in the bull’s eye of attackers looking to steal political information. In 2010 for example, Google and McAfee reported evidence of a politically-motivated malware campaign targeting critics of a Chinese-backed mining operation in Vietnam.

Still, Stewart called the cluster of victims surprising.

“We’ve seen APT [advanced persistent threat] activity targeted at Japan…there’s certainly been a pattern of activity against Taiwan, but these countries here – (they) weren’t at the top of my list,” he said.

Related Reading: RSA Confernce 2012 Session On Cyber War and Industrial Espionage

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona