Cylance exposes 'Dust Storm' APT attack on Japanese infrastructure
An APT dubbed Operation Dust Storm
An advance persistent threat group operating since at least 2010 has recently been concentrating its efforts on infiltrating Japanese critical infrastructure and key commercial interests, according to cybersecurity firm Cylance, which went public with its findings yesterday due to the perpetrators' increasingly aggressive tactics.
Dubbed “Operation Dust Storm,” the APT is the work of a sophisticated hacking group or army backed by a nation-state—most likely China based on ample circumstantial evidence. Dust Storm is responsible for a multitude of seemingly unrelated global attacks over the last six years that Cylance was able to link together through its research. Earlier attacks targeted global government and defense-related intelligence entities using myriad tactics including phishing, waterholes and zero-day exploits. But starting in 2015, the group shifted its attention almost exclusively to Japan, according to a Cylance white paper.
In the last year, the group has been observed leveraging a malware application that Cylance calls “ZLIB backdoor,” with hard-coded proxy addresses and credentials, to silently gain access to private networks and collect information for reconnaissance purposes. Cyberespionage targets have included Japanese companies involved in power generation, oil and natural gas, construction, finance and transportation.
Largely undetectable through standard antivirus programs, the backdoor gives attackers the ability to upload and download files, impersonate log-on sessions, manipulate Windows services, mimic keystrokes and mouse clicks, execute shell commands and more. “We started to see a pattern of industries that were targeted and these guys seemed to be successful time after time. And all these new activities were going under the radar in the security industry,” said Gross, director of threat intelligence at Cylance, in an interview with SCMagazine.com.
The perpetrators' m.o. of choice is delivering malware via links found in spear phishing emails, strategically targeting key individuals within organizations. Typically, the email addresses from the sender are spoofed. “We've seen some evidence that suggests they're aware of partnerships between companies and who these people [the targets] normally work with,” said Gross.
Cylance has not observed any cyberactivity that would indicate those responsible are planning a crippling cyberattack against critical infrastructure, Gross confirmed.
Cylance's research division SPEAR recovered malware from a February 2015 network intrusion impacting the investment arm of a major Japanese automaker. The attack took place just two weeks before 11 auto worker unions demanded a monthly raise of 6,000 yen, the white paper noted. Cylance can't be certain there's a connection between the attack and the union action, “but we just found it a little suspect,” said Gross, speculating that the bad actors behind the APT could have been seeking intel about perceived worker unrest.
In July and October 2015, the same perpetrators launched attacks against a Japanese subsidiary of a South Korean electric utility as well as a major Japanese oil and gas company.
Cylance also reported that the attackers began seriously ramping up its mobile operations in May 2015, adopting and customizing Android backdoors to collect SMS messages as well as enumerate and exfiltrate files from affected devices in Japan and South Korea. More than 200 domains hosting the Android malware have been discovered to date.
Gross acknowledged that China has emerged as the prime suspect. “There's a great deal of circumstantial evidence in terms of zero-days they're using… to suggest it's most likely China,” said Gross. “I'm not sure there ever is concrete evidence in cyberattacks, but this is as close as you're going to get,” he added.
APTs and cyberattacks targeting critical infrastructure, including those perpetrated by nation-states, remain a major global concern. To that end, the U.S. Federal Energy Regulatory Commission earlier this year gave final approval to seven critical infrastructure protection (CIP) Reliability Standards under the Federal Power Act (FPA).