Incident Response, Malware, TDR

Riding low and slow, Hikit targets U.S. defense contractors

Researchers at security firm Mandiant have identified a backdoor trojan, called Hikit, which has targeted a small number of defense contractors in the United States.

Ryan Kazanciyan, a principal consultant at the Washington, D.C.-based company, told SCMagazine.com on Monday that the malware, first discovered last year, falls into the category of an advanced persistent threat.

“This is something we've been investigating and tracking for a long time, but now is the time we are comfortable going public,” Kazanciyan said.

As opposed to financial fraud, the goal of the attackers behind Hikit is to conduct industrial espionage and steal sensitive data, he said.

“It was deployed as part of a larger attack against a handful of companies," he said. "[Hikit] was one specific piece of malware used among many in this targeted attack."

The trojan itself is not used to initiate a breach, but to exploit an existing server vulnerability so that attackers can maintain access to victims' data.

Hikit can run commands on a  targeted server, as well as transfer files to retrieve data and redirect traffic within other systems of the victims' internal network.

Researchers at Symantec wrote a blog post on the Hikit threat Friday, explaining that the malware, in an attempt to evade any detection, does not contact a command-and-control server or attacker upon installation.

“Instead, the kernel driver will monitor incoming network traffic and wait for the specific attacker's pattern that opens the backdoor communication channel,” the post said. “Since the compromised computer does not contact the attacker, its operational capability is significantly reduced.”

As Hikit was launched as just one of many pieces of malware by attackers, Mandiant's Kazanciyan said the malware could go undetected for several years, due to the size and complexity of most victims' corporate networks and the attacker's ability to rely on stolen credentials to maintain access.

Citing the arduous process of uncovering this particular threat, Kazanciyan said in a number of cases, many of the victims only become aware that they've been targeted only after being notified by law enforcement.

Once the find out they've been hit, organizations should first conduct an investigation to determine how the malware got onto their servers, as it must be installed by someone who has privileged access to the system, he said.

To limit the targeted malware's impact, organizations can isolate their internet-facing systems so the malware is kept from being redirected elsewhere in the network.

“The attacker may get stuck on only interfacing systems,” Kazanciyan said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.