Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Empire Strikes Back

4,636 views

Published on

Published in: Internet
  • Follow the link, new dating source: ❤❤❤ http://bit.ly/2Q98JRS ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ http://bit.ly/2Q98JRS ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The Empire Strikes Back

  1. 1. THE EMPIRE STRIKES BACK Costin G. Raiu How APT actors fight each other for control
  2. 2. MH17 I FLY A LOT, HOW ABOUT YOU? Recent flight tragedies QZ8501 MH370 4U9525
  3. 3. MH370 CYBERCRIMINALS ARE QUICK TO EXPLOIT TRAGEDIES • Cybercriminals take advantage of news to launch phishing attacks • Such news includes hurricanes, earthquakes, tsunamis, terrorist attacks or other tragedies • The goal is to trick people looking for news into opening malicious emails and documents
  4. 4. NAIKON: MH370 ATTACKS • The Naikon group is an APT that is very active in Asia • We’ve noticed a spike in the number of Naikon attacks against the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore and Nepal • Naikon was quick to exploit the MH370 tragedy • It launched a massive campaign to attack other nations in APAC, notably those involved in the search for MH370
  5. 5. NAIKON SPEAR-PHISHING
  6. 6. HUNDREDS OF EMAILS WERE SENT
  7. 7. AFFECTED PARTIES IN VARIOUS COUNTRIES • Office of the President • Navy Forces • Armed Forces • Office of the Cabinet Secretary • National Security Council • Office of the Solicitor General • National Intelligence Coordinating Agency • Civil Aviation Authority • Department of Justice • National Police • Presidential Management Staff Several hundred victims Thousands of documents stolen
  8. 8. THE VICTIM ASKS
  9. 9. THE ATTACKER REPLIES
  10. 10. A BIT LATER…
  11. 11. Directory of … Mar 31, 2014.scr
  12. 12. THE “HELLSING" APT • Active since ~2012 • Spear-phishing: archives, SCR files • Main interests: APAC nations • No financial gain, pure intelligence gathering • Probably nation-state sponsored Country “A”: Country “B”: Country “C”: +Embassies, ASEAN, etc… • Ministry of Foreign Affairs • Ministry of Tourism and Culture • Immigration Department • Office of the President • National Economic and Development Authority • Society for Quality • Ministry of Foreign Affairs
  13. 13. ATTACK ANALYSIS – “HELLSING”
  14. 14. AM I AT RISK? Risk factors: • Do you receive and read hundreds of emails, open attachments? • Do you work for/with governments in APAC? • Have you received suspicious .scr files? • Inside RAR/ZIP archives, with password? To find out if you’re infected: • Use our IOCs document • All Kaspersky Lab products detect the Hellsing actor
  15. 15. PREVENTION MEASURES (GENERAL) • Educate employees on how to avoid being ‘socially-engineered’ • Use strong anti-malware suites, best practices • Use separate laptops for travel • Don’t update software while traveling • Use VPNs • Use strong and unique passwords for each website • Default deny policies stop many APTs dead in their tracks
  16. 16. CONCLUSION • Welcome to APT wars! • Attack / counterattack mentality • Goals: attribution, counter-intelligence gathering • Are they really advanced? No • Are they really a threat? Yes!
  17. 17. Prediction: we’ll see more APT wars in the near future
  18. 18. QUESTIONS?

×