What happens when an APT group running a cyber espionage campaign target a second distinct APT group?
The events occurred last year, when a group involved in a cyber espionage campaign dubbed Hellsing sent a spear phishing email to a rival hacking team, the Naikon APT, which is one of the Asian largest APT gangs.
“The email in this case originates from a government email … and is directed to the Naikon attackers. They decided to strike back at the attacker, a spy-on-spy sort of move,” explained Costin Raiu, head of Kaspersky’s global research and analysis team. “They [Hellsing] are interested in infecting other APTs and learning about their operations,”
Naikon ATP has been active for several years, its operations targeted entities in various industries including governments and the military. The hacking crew targeted diplomats, law enforcement, and aviation authorities in many Asian countries such as the Philippines, Malaysia, Cambodia, and Indonesia.
The singular discovered was made by experts at Kaspersky Team that provided a detailed analysis of the attack. The Hellsing APT attached a payload used to serve a powerful malware that infects the victim’s PC.
Researchers at Kaspersky Lab explained that Hellsing surgically selected about 20 organizations, limiting its operation to the US, Malaysia, the Philippines, Indonesia, and India. The name Hellsing comes from the project title left by a developer in a malicious source code used by the hacking team.
Experts at Kaspersky consider very singular the circumstance and believe that it could be the beginning of a new dangerous trend in the criminal ecosystem, they defined the activities as the APT-on-APT attacks.
“The targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. But, considering the timing and origin of the attack, the current case seems more likely to be an APT-on-APT attack.” reports the analysis published by Kaspersky.
The battle between the two APT groups began last February when Naikon run a spear phishing campaign on a number of adversaries, including the Hellsing. On the other end, the Hellsing group once discovered the malicious campaign and its source started its counteroffensive.
In March 2014, a few weeks after Naikon targeting other APT groups, including the Hellsing APT, the team launched a spear phishing campaign on most of the countries involved in the search for the disappeared Malaysia Airlines Flight MH370. The campaign targeted a wide range of entities, including institutions with access to information related to the disappearance of MH370.
The analysis of the command and control infrastructure revealed that Hellsing has ties to fellow other groups, including PlayfulDragon, Mirage, Vixen Panda, Cycldek and Goblin Panda.
I suggest you carefully read this report that details an operation that is considered the first APT-on-APT attack that has been witnessed by the experts.
(Security Affairs – APT, Hellsing)