New espionage campaign tied to RSA breach, GhostNet attacks

Share this article:

A cyber espionage campaign, now linked to attacks on the energy and oil sector in various countries and a military organization, was likely launched by the same attackers behind an RSA breach and the GhostNet spy network.

Recent targets in the Mirage campaign – which is named after the remote access trojan Mirage spread through spear phishing emails – include an energy company in Canada, a high-profile oil company in the Philippines and a military organization in Taiwan.

Researchers at Dell SecureWorks Counter Threat Unit discovered Mirage, which is usually embedded in executable files designed to look and behave like PDFs, and began tracking the cyber espionage campaign in April.

Silas Cutler, a security researcher for SecureWorks CTU, said that Mirage wasn't particularly sophisticated, but that it was effective in that it usually reached mid- to senior-level executives – who are targeted by the spear phishing emails.

“It deletes its original copy to have the user hopefully forget about it,” Cutler said of the malware. “It can receive and delete files, but it's a very simple piece of malware.”

Researchers have discovered two main variants of the trojan, one which communicates to command-and-control servers using a standard HTTP request, and another strain which uses HTTP POST requests to send system information of infected machines to its servers.

“It's a continuing campaign against these natural resource companies, and there's definitely an indication that they are becoming bigger targets given the occurrences this year,” Culter said.

He estimated that up to 120 machines were infected by Mirage, primarily at the organizations in Canada, the Philippines and Taiwan. Researchers are still analyzing whether attacks on entities in Brazil, Egypt, Nigeria and Israel may be related to the Mirage campaign.

SecureWorks also discovered that the command-and-control IP addresses used by the Mirage actors belonged to a specific internet network also used by custom malware involved in the RSA breach revealed in 2011, in which hackers stole information related to the organization's two-factor authentication products. IP addresses in that same network have also been used as command-and-control servers for malware associated with the GhostNet campaign made public in 2009, which also spread through phishing emails. That campaign targeted government computers in more than 100 countries.

Researchers at SecureWorks believe that Mirage attackers are operating out of China, since three IP addresses detected were found to be from a subnet of the Beijing Province Network.

In a SecureWorks report on the Mirage campaign, researchers advised companies to use active intrusion detection tools, as well as domain name system (DNS) monitoring, to detect malicious activity.

“Traditionally, the success of botnets created by threat actor groups has been measured by the quantity of infected systems and the difficulty to defend against [them] in the long term,” the report said. “These targeted attacks show that a successful campaign requires only a small quantity of infected systems to accomplish the attackers' objectives and to yield extremely powerful results.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.