Every day Kaspersky Lab automatically processes 310,000 new malicious files. Only one percent of these need manual work from a security expert, and only a tiny fraction of that 1% go to the company’s top-notch Global Research and Analysis Team (GReAT). Those chosen few samples belong to the rarest, most menacing new APTs (advanced persistent threats). Kaspersky Lab’s Targeted Cyberattack Logbook chronicles all of these ground-breaking malicious cybercampaigns that have been investigated by GReAT.
Current status
Discovery
First known sample
Number of targets:
100 000 - 300 000
50 000 - 100 000
5 000 - 10 000
3 000 - 5 000
2 000 - 3 000
1 000 - 2 000
500 - 1 000
100 - 500
11 - 100
1 - 10
EN | RU | PL
By name
Filter: OFF
2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003
newPoseidon
newAdwind
Sofacy
Turla
Blue Termite
Wild Neutron
Duqu 2.0
Naikon
CozyDuke
Hellsing
Animal Farm
Equation
Duqu
Aurora
Stuxnet
SabPub
Flame
Gauss
miniFlame
MiniDuke
Winnti
TeamSpy
Red October
NetTraveler
Epic Turla
Shamoon
Agent.btz
FinSpy
Hacking Team RCS
Dark hotel
Madi
Kimsuky
Icefog
The Mask
CosmicDuke
Crouching Yeti
Wiper
Machete
Black Energy
Regin
Cloud Atlas
Carbanak
Desert Falcons
Filter: OFF
Clear All
Type:
Clear
Targets:
Clear
The way of propagation:
Clear
Targeted platforms:
Clear
Purpose/functions:
Clear
Current status:
Clear
Number of targets:
Clear
Discovery:
Clear
Top-10 targeted countries:
Clear
First known sample:
Clear
Language behind the APT:
Clear
APPLY
Poseidon
Active
Backdoor, Complex cyberattack platform
2015
Windows
2005
11-100
TOP TARGETED COUNTRIES:
France, United States, India, Russia, Brazil, United Arab Emirates, Kazakhstan
  • Social engineering
  • Exploits
  • Cyberespionage
  • Surveillance
  • Remote control
  • Financial institutions
  • Government entities
  • Energy, oil and gas companies
  • Telecoms
  • Heavy industry manufacturers
  • Private companies
  • Mass media and TV
  • Manufacturing
  • Brazilian Portuguese language artefacts
The blog post and research paper are available at Securelist.com
Adwind
Active
Backdoor, Complex cyberattack platform
2013
Windows, Linux, OS X, Android
2012
100,001-300,000
TOP TARGETED COUNTRIES:
United States, India, Russia, United Arab Emirates, Germany, Italy, Turkey, Hong-Kong, Taiwan
  • Social engineering
  • Exploits
  • Cyberespionage
  • Surveillance
  • Malware-as-a-Service platform
  • Financial institutions
  • Government entities
  • Energy, oil and gas companies
  • Telecoms
  • Education
  • Mass media and TV
  • Manufacturing
  • Software companies
  • Shipping
  • Trade and commerce
  • Healthcare
  • Design
  • Engineering
  • Brazilian Portuguese language artefacts
Sofacy
Active
Trojan, Backdoor
2014
Windows, Linux, iOS
2008
11-100
TOP TARGETED COUNTRIES:
Ukraine, France, Greece, United Kingdom, Jordan, Belgium
  • Social engineering
  • Exploits
  • Cyberespionage
  • Data theft
  • Surveillance
  • Modular structure, USB stealing implant, which allows it to copy data from air-gapped computers
  • Government entities
  • Military
  • Defense industrial base
  • Russian language artefacts
Turla
Active
Complex cyberattack platform
2014
Windows, Linux
2007
101-500
TOP TARGETED COUNTRIES:
Iran, France, United States, India, Saudi Arabia, Ukraine, Germany, China, Russia, Brazil, Belarus, Kazakhstan, Poland, Spain, Latvia, Vietnam, Ecuador, Algeria, Serbia, Mexico
  • Social engineering
  • Exploits
  • Watering hole attacks
  • Cyberespionage
  • Data theft
  • Surveillance
  • Usage of satellite internet connection to hide command and control servers
  • Academia/Research
  • Government entities
  • Military
  • Diplomatic organizations/embassies
  • Pharmaceutical
  • Education
  • Russian language artefacts
Blue Termite
Active
Backdoor
2014
Windows
2013
101-500
TOP TARGETED COUNTRIES:
Japan
  • Social engineering
  • Exploits
  • Watering hole attacks
  • Cyberespionage
  • Data theft
  • Surveillance
  • Financial institutions
  • Government entities
  • Pharmaceutical
  • Satellite operators
  • Manufacturing
  • Education
  • Medical Industry
  • Chemical industry
  • Media
  • Health insurance services
  • Chinese language artefacts
Wild Neutron
Active
Trojan, Cyberespionage toolkit, Backdoor
2013
Windows, OS X
2011
11-100
TOP TARGETED COUNTRIES:
France, Russia, Switzerland, Germany, Austria, Slovenia, Kazakhstan, United Arab Emirates, Algeria, USA
  • Exploits
  • Watering hole attacks
  • Cyberespionage
  • Data theft
  • The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests
  • Information technology
  • Software companies
  • Financial institutions
  • Specific individuals
  • Trade and commerce
  • Private companies
  • Pharmaceutical
  • Manufacturing
  • Investments
  • The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string “La revedere” (“Good bye” in Romanian) to mark the end of the C&C communication. In addition to that, Kaspersky Lab researchers have found another non-English string which is the Latin transcription of the Russian word “Успешно” ("uspeshno" -> "successfully").
The blog post and research paper are available at Securelist.com
Duqu 2.0
Active
Trojan
2015
Windows
2014
11-100
Victims have been found in Western countries, as well as in countries in the Middle East and Asia.
  • Social engineering
  • Unknown
  • Cyberespionage
  • Data theft
  • Surveillance
  • Remote control
  • An updated version of the infamous 2011 Duqu malware
  • A highly sophisticated malware platform exploiting up to three zero-day vulnerabilities
  • Malware infections linked to the P5+1 events and venues for high level meetings between world leaders
  • Duqu 2.0 doesn’t have a normal “persistence” mechanism: the code exists only in computer’s memory
  • Probably possess an alarming quantity of stolen certificates
  • The philosophy and way of thinking of the “Duqu 2.0” group is a generation ahead of anything seen in the APT world.
  • Politicians
  • Information technology
  • Software companies
  • High technology companies
  • Specific individuals
  • Private companies
  • Electronics manufacturing
  • Duqu 2.0 is an updated version of the infamous 2011 Duqu malware, which is associated with an APT group that went dark in 2012.
  • The 2014 Duqu 2.0 binaries have several strings in almost perfect English but one of them has a minor mistake indicating non-native speakers. The usage of “Excceeded” instead of “Exceeded” in the file-harvesting module of Duqu 2.0 is the only language mistake we observed.
  • One of the victims appears to have been infected both by the Equation group and by the Duqu group at the same time; this suggests the two entities are different and competing with each other to obtain information from this victim.
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2, blog post #3)
The open IOC file is available here
Naikon
Active
Trojan, Backdoor, Remote administration tool
2011
Windows
2009
101-500
TOP TARGETED COUNTRIES:
Vietnam, Cambodia, Indonesia, Malaysia, China, Philippines, Myanmar, Singapore, Nepal, Thailand, Lao People's Democratic Republic
  • Social engineering
  • Exploits
  • Cyberespionage
  • Surveillance
  • Remote control
  • Each target country has a designated human operator, whose job it is to take advantage of cultural aspects of the country, such as a tendency to use personal email accounts for work
  • The placing of infrastructure (a proxy server) within the country’s borders to provide daily support for real-time connections and data exfiltration
  • At least five years of high volume, high profile, geo-political attack activity
  • Platform-independent code, and the ability to intercept the entire network traffic
  • 48 commands in the repertoire of the remote administration utility, including commands for taking a complete inventory, downloading and uploading data, installing add-on modules, or working with the command line
  • Private companies
  • Government entities
  • Military
  • Naikon attackers appear to be Chinese-speaking (several indicators, such as Remote administration tool's admin and Honker Union code)
The blog post and research paper are available at Securelist.com
CozyDuke
Active
Backdoor, Dropper
2015
Windows
July 2014
11-100
TOP TARGETED COUNTRIES:
USA, Germany, Uzbekistan, South Korea
  • Social engineering
  • Watering hole attacks
  • Cyberespionage
  • extremely sensitive high profile victims and targets (targets in the U.S. are believed to include the White House and the State Department)
  • evolving crypto and anti-detection capabilities. For example, the code hunts for the presence of several security products in order to attempt to evade them, namely: Kaspersky Lab, Sophos, DrWeb, Avira, Crystal and Comodo Dragon.
  • strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components
  • Government entities
  • Сommercial entities
  • Strong malicious program functionality, as well as structural similarities match thу CozyDuke toolset with the MiniDuke, CosmicDuke and OnionDuke cyberespionage campaigns; operations that, according to a number of indicators, are believed to be managed by Russian-speaking authors.
The blog post and research paper are available at Securelist.com
Hellsing
Active
Remote administration tool
Summer 2014
Windows
2012
11-100
TOP TARGETED COUNTRIES:
Malaysia, Philippines, India, Indonesia, USA
  • Social engineering
  • Cyberespionage
  • Government entities
  • Diplomatic organizations/embassies
  • No data
The blog post and research paper are available at Securelist.com
The open IOC file is available here
Animal Farm
Inactive since 2014
Trojan, Complex cyberattack platform
2014
Windows
2007
3,001-5,000
TOP TARGETED COUNTRIES:
Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia
  • Social engineering
  • Watering hole attacks
  • Cyberespionage
  • DDoS
  • The first advanced Frenchspeaking cyberespionage campaign
  • Multi-platform espionage environment
  • The threat actor is known to have used several 0day exploits
  • Attackers used a complex set of tools and combined both targeted and massive exploitation
  • Government entities
  • Activists
  • Private companies
  • Journalists
  • Mass media and TV
  • Humanitarian aid organizations
  • Military contractors
  • Animal Farm is a Frenchspeaking cyberespionage campaign (French is an official language in 29 countries).
The blog post and research paper are available at Securelist.com
Equation
Active
Complex cyberattack platform
2014
Windows
2002
500-1,000
TOP TARGETED COUNTRIES:
Iran, Russia, Pakistan, Afghanistan, India, China, Syria, Mali, Lebanon, Yemen
  • USB drives
  • Exploits
  • Self-replication
  • Physical media, CD-ROMs
  • Cyberespionage
  • Data theft
  • Surveillance
  • The ability to infect the hard drive firmware
  • The use of “interdiction” technique to infect victims
  • Mimicking to criminal malware
  • Nanotechnology
  • Financial institutions
  • Nuclear industry
  • Activists
  • Academia/Research
  • Government entities
  • Energy, oil and gas companies
  • Military
  • Telecoms
  • Diplomatic organizations/embassies
  • Trade and commerce
  • Aerospace
  • Mass media and TV
  • High technology companies
  • Education
  • Transportation
  • All artifacts are in English, with few Latin words, such as "LUTEUS" and "OBSTOS"
The blog post and research paper are available at Securelist.com
Duqu
Inactive since 2012
Trojan
mid-April 2011
Windows
2008
11-100
TOP TARGETED COUNTRIES:
Iran, Sudan, France, Hungary
  • Social engineering
  • Cyberespionage
  • The attackers were looking for information related to the production control systems and trade relationships of particular organizations.
  • They used the CVE-2011-3402 0-day vulnerability in the Windows Win32k.sys kernel component
  • No specific targets
  • "Tilded" team, related to Stuxnet and Flame developers
  • Kaspersky Lab believes this is a nation-state sponsored campaign, related to Stuxnet and Flame developers
  • The logs collected from some of the proxies indicated the attackers appear to work less on Fridays and didn’t appear to work at all on Saturdays, with their regular work week starting on Sunday. They also compiled binaries on January 1st, indicating it was probably a normal workday for them. The compilation timestamps in the binaries seemed to suggest a timezone of GMT+2 or GMT+3. Finally, their attacks would normally occur on Wednesdays, which was the reason we originally referred to them as the “Wednesday Gang”
The blog post and research paper are available at Securelist.com
Aurora
Inactive since 2010
Cyberespionage toolkit
January 2010
Windows
June – December 2009
11-100
TOP TARGETED COUNTRIES:
USA
  • Social engineering
  • Cyberespionage
  • Data theft
  • A 0-day vulnerability, known as CVE-2010-0249 in Internet Explorer, was used.
  • The attack was aimed at dozens of organizations, of which Google, Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo!, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also among the targets.
  • Information technology
  • Software companies
  • Financial institutions
  • Elderwood team, linked with China and other groups of Chinese origin, like Comments Crew
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2)
Stuxnet
Inactive since 2012
Worm
June 2010
Industrial SCADA systems
2007
100,001-300,000
TOP TARGETED COUNTRIES:
Iran
  • USB drives
  • LAN spreading
  • File infection
  • Cybersabotage
  • The first cyberweapon intended to cause actual physical damage
  • Stuxnet was designed specifically to sabotage the uranium enrichment process at several factories
  • The worm exploited four separate zero-day vulnerabilities
  • Stuxnet driver files used valid Realtek and JMicron signatures as proof that the application was legitimate. It helped to hide the malware in the system and on infected USB devices to support rootkit functionality.
  • Nuclear industry
  • allegedly a nation-state campaign
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2)
SabPub
Inactive since 2012
Backdoor
April 2012
OS X
2012
11-100
TOP TARGETED COUNTRIES:
India, USA, Western Europe
  • Social engineering
  • Exploits
  • Cyberespionage
  • MacOS X backdoor
  • SabPub targeted Dalai-Lama and Tibetan community
  • Activists
  • related to LuckyCat attacks, Chinese origins
The blog post and research paper are available at Securelist.com
Flame
Inactive since 2012
Complex cyberattack platform
May 2012
Windows
2007
500-1,000
TOP TARGETED COUNTRIES:
Majority of targets in Iran, others are Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. Flame has also been reported in Europe and North America.
  • USB drives
  • LAN spreading
  • Cyberespionage
  • A complex attack toolkit with worm-like features
  • An uncharacteristically large program for malware at 20 megabytes. Flame is about 20 times larger than Stuxnet, comprising many different attack and cyberespionage features
  • It was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority.
  • It is written partly in the Lua scripting language, which is uncommon in malware
  • Specific individuals
  • Academia/Research
  • Government entities
  • ~DF Team, related with Stuxnet/Duqu developers
The blog post and research paper are available at Securelist.com
Gauss
Inactive since 2012
Cyberespionage toolkit
June 2012
Windows
September 2011
5,001-10,000
TOP TARGETED COUNTRIES:
Syria, Lebanon, Palestine, Israel
  • Unknown
  • Cyberespionage
  • The Gauss code includes commands to intercept data from users of Lebanese banks.
  • Gauss malicious toolkit has online banking monitoring functionality
  • Propagation methods are unclear –Gauss was probably installed by Flame in some cases.
  • Gauss is able to infect USB thumb drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame. At the same time, the process of infecting USB sticks is more intelligent.
  • Gauss is capable of “disinfecting” the drive under certain circumstances, and uses removable media to collect and store information in a hidden file.
  • Specific individuals
  • Gauss is based on the Flame platform. It shares some functionality with Flame, such as the USB infection subroutines.
The blog post and research paper are available at Securelist.com
miniFlame
Inactive since 2012
Backdoor
October 2012
Windows
2010
11-100
TOP TARGETED COUNTRIES:
Lebanon, Palestine, Iran, Kuwait, Qatar
  • Unknown
  • Cyberespionage
  • The exact infection vector for SPE is unknown; it is believed that the malware is deployed from the Command and Control server during Flame or Gauss infections.
  • Unlike Gauss, SPE/miniFlame implements a full client/server backdoor, which allows the operator direct access to the infected system. The SPE/miniFlame malware is unique in the sense that it can work either as a stand-alone program, as a Flame plugin or as a Gauss plugin
  • Specific individuals
  • Allegedly a new nation-state cyberespionage malware
  • SPE/miniFlame consolidates the theory of a strong link between the Flame and Gauss teams. miniFlame represents a common module used by both. All known 4.xx versions of SPE contain a version info section which references code page 3081, ENG_AUS, English (Australia)
The blog post and research paper are available at Securelist.com
MiniDuke
Active
Backdoor
February 2013
Windows
2008
500-1,000
TOP TARGETED COUNTRIES:
Ukraine, Belgium, Portugal, Romania, The Czech Republic, Ireland, USA, Hungary
  • Social engineering
  • Cyberespionage
  • The malicious downloader is unique to each system and contains a customized backdoor written in Assembler.
  • The malware also uses Twitter, looking for specific tweets from pre-made accounts created by MiniDuke’s Command and Control (C2) operators. The tweets maintain encrypted URLs for the backdoors.
  • The infected system receives encrypted backdoors within GIF files and disguised as pictures that appear on a victim’s machine.
  • Government entities
  • Energy, oil and gas companies
  • Military
  • Academia/Research
  • Telecoms
  • Russian-speaking authors
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2)
Winnti
Active
Trojan
2012
Windows
2009
11-100
TOP TARGETED COUNTRIES:
The majority of the victims are from South East Asia. However, online gaming companies located in Germany, the USA, Japan, China, Russia, Brazil, Peru, and Belarus were also identified as victims of the Winnti group.
  • Social engineering
  • Data theft
  • Winnti hunts for intellectual property belonging to gaming companies such as source code and internal systems design.
  • The malware has been known to steal digital certificates used by gaming companies, which allows the attackers to distribute malicious software signed by trusted entities.
  • The first malicious program on a 64-bit version of Microsoft Windows 7 that had a valid digital signature
  • Having infected gaming companies that do business in the MMORPG space, the attackers potentially get access to millions of users
  • Software companies
  • Our research revealed that the attackers used the Chinese language in the code of the malware; they used Chinese locales in their Windows servers and they have been using a number of IP addresses in China. There are a number of other indicators, such as nicknames, timezones and more showing that the attackers are located in the People's Republic of China.
The blog post and research paper are available at Securelist.com
TeamSpy
Inactive since 2013
Remote administration tool
March 2013
Windows
2004
1,001-2,000
TOP TARGETED COUNTRIES:
CIS, Eastern Europe
  • Social engineering
  • Exploits
  • Cyberespionage
  • Data theft
  • The attackers control the victims’ computers remotely using the legal remote administration tool TeamViewer. This application is signed with legitimate digital certificates and is used by more than 100 million users around the world.
  • To avoid alerting users that somebody is spying on them, the attackers dynamically patch TeamViewer in the memory to remove all signs of its presence
  • Activists
  • Energy, oil and gas companies
  • Heavy industry manufacturers
  • Intelligence agencies
  • Russian-speaking authors
The blog post and research paper are available at Securelist.com
Red October
Inactive since 2013
Complex cyberattack platform
January 2013
Windows, Windows Mobile
2007
101-500
TOP TARGETED COUNTRIES:
Eastern Europe, former USSR and countries in Central Asia, as well as some countries in Western Europe and North America.
  • Social engineering
  • Exploits
  • Cyberespionage
  • This multi-functional attack platform included several extensions and malicious files designed to quickly adjust to different system configurations and harvest intelligence from infected machines.
  • In addition to targeting traditional workstations, the malware is capable of stealing data from mobile devices
  • The Red October framework was designed to execute "tasks" that are provided by its C&C servers. Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and then immediately discarded.
  • Government entities
  • Diplomatic organizations/embassies
  • Academia/Research
  • Trade and commerce
  • Energy, oil and gas companies
  • Aerospace
  • Military
  • The exploits appear to have been created by Chinese hackers. The Rocra/Red October malware modules have been created by Russian-speaking operatives.
The blog post and research paper are available at Securelist.com
NetTraveler
Active
Cyberespionage toolkit
2013
Windows
2004
101-500
TOP TARGETED COUNTRIES:
Mongolia, India, Russia. In total, infections were identified in 40 countries.
  • Social engineering
  • Watering hole attacks
  • Exploits
  • Cyberespionage
  • Data theft
  • The crew behind NetTraveler specifically targets Tibetan/Uyghur activists.
  • NetTraveler infects high-profile targets: space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications.
  • More than 22 gigabytes of stolen data is stored on NetTraveler’s C&C servers.
  • Office and Java exploits were used.
  • Activists
  • Energy, oil and gas companies
  • Academia/Research
  • Private companies
  • Government entities
  • Diplomatic organizations/embassies
  • Military
  • Based on collected intelligence, we estimate the group contains about 50 individuals, most of whom are native Chinese speakers and have a working knowledge of English.
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2)
Epic Turla
Active
Backdoor
2014
Windows
2012
101-500
TOP TARGETED COUNTRIES:
Top 10: France, Russia, Belarus, Romania, USA, Netherlands, Kazakhstan, Saudi Arabia, Iran, Poland. 45 countries in total.
  • Social engineering
  • Exploits
  • Watering hole attacks
  • Cyberespionage
  • Data theft
  • Epic Turla is able to upgrade itself to Turla\Uroboros malware
  • Among other targets: Ministry of interior (EU country), Ministry of trade and commerce (EU country), Ministry of foreign/external affairs (Asian country, EU country)
  • Government entities
  • Intelligence agencies
  • Diplomatic organizations/embassies
  • Military
  • Academia/Research
  • Pharmaceutical
  • Language artifacts in the malware code of malware suggest Russian speaking authors
The blog post and research paper are available at Securelist.com
Shamoon
Inactive since 2012
Data destroyer
August 2012
Windows
August 2012
1-10
TOP TARGETED COUNTRIES:
Saudi Arabia
  • LAN spreading
  • Data wiping
  • Shamoon is capable of spreading to other computers on the network by exploiting shared hard drives.
  • Once a system is infected, the virus continues to compile a list of files from specific locations on the system, erase and then send information about these files back to the attacker.
  • Finally, the virus will overwrite the master boot record of the system to prevent it from booting
  • Shamoon targeted a specific company: Saudi’s Aramco
  • Energy, oil and gas companies
  • A group named "Cutting Sword of Justice" claimed responsibility for the attack
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2, blog post #3)
Agent.btz
Inactive since 2009
Worm
2008
Windows
2007
50,001-100,000
TOP TARGETED COUNTRIES:
US, Russia, Spain, Italy, Kazakhstan, Germany, Poland, Latvia, Lithuania, United Kingdom, Ukraine and 100+ other countries
  • USB drives
  • Self-replication
  • Cyberespionage
  • Data theft
  • Ability to scan computers for data, open backdoors, and send data through those backdoors to a remote command and control server
  • Military
  • Diplomatic organizations/embassies
  • Artifacts suggest Russian speaking malware authors
The blog post and research paper are available at Securelist.com
FinSpy
Active
Backdoor, Trojan, Rootkit, Bootkit
2011
Windows, OS X, Linux, Android, iOS, Windows Mobile, Symbian, BlackBerry
2007
101-500
TOP TARGETED COUNTRIES:
Germany, Vietnam, Russia, Mongolia, China, USA, Cambodia, Japan, Indonesia, Lao People's Democratic Republic
  • Social engineering
  • Physical access to computers
  • Access to network connections
  • Surveillance
  • “Business-to-government” malware
  • Tries very hard to avoid detection
  • Logs incoming and outgoing calls;
  • Makes concealed calls to eavesdrop on the target's surroundings;
  • Steals information from smartphones (call logs, text and media messages, contacts, etc.);
  • Tracks coordinate
  • Activists
  • Criminal suspects
  • The FinSpy (Finfisher) software is sold by UK Based Gamma Group company
The blog post and research paper are available at Securelist.com
Hacking Team RCS
Active
Backdoor, Trojan, Rootkit
2011
Windows, OS X, BlackBerry, Windows Mobile, Android, iOS
2008
101-500
TOP TARGETED COUNTRIES:
Russia, China, Italy, Vietnam, USA, Turkey, Iraq, Mexico, Germany, India
  • Bootable CD-ROM
  • USB drives
  • Direct hard disk infection
  • Social engineering
  • Exploits
  • Mobile infections through already infected PCs
  • USB cables
  • Surveillance
  • “Business-to-government” spyware
  • Can monitor any action performed using a personal computer/mobile device.
  • Modules for computers and mobile devices
  • Self-replication via USB flash drive
  • Infection of virtual VMware machines by copying itself into the autorun folder on the virtual drive
  • Ability to self-update
  • Samples are signed by legal authorities
  • local infections via USB cables while synchronizing mobile devices
  • Specific malicious implant for every concrete target
  • At least 39 Apple devices supported by the iOS mobile modules
  • Both jailbroken and non-jailbroken iPhones can be infected: an attacker can conduct a remote jailbreak through already infected computers
  • Activists
  • Journalists
  • Politicians
  • Criminal suspects
  • This program was developed by the Italian company HackingTeam and is intended for sale to government authorities in different countries.
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2)
Dark hotel
Active
Backdoor
February 2014
Windows
2007
3,001-5,000
TOP TARGETED COUNTRIES:
Over 90% of it occurs in the top five countries: Japan, Taiwan, China, Russia and South Korea.
  • Social engineering
  • Peer-to-peer sharing networks
  • Cyberespionage
  • Surveillance
  • Targeted attacks resulted in C-suite victims: CEOs, Sr Vice Presidents, Sales and Marketing Directors and top R&D staff
  • The gang uses both targeted attacks and botnet style operations.
  • Use of zero-day exploits targeting Internet Explorer and Adobe products
  • Use of an advanced, low-level keylogger to steal confidential data.
  • Malicious code signed using stolen digital certificates.
  • A long-running campaign –Darkhotel has been operating for almost a decade.
  • Automotive
  • Business individuals
  • Defense industrial base
  • Investments
  • Intelligence agencies
  • Military
  • Non-governmental organizations
  • Private companies
  • Specific individuals
  • Law enforcement agencies
  • Pharmaceutical
  • Electronics manufacturing
  • The attackers left a footprint in a string within their malicious code pointing to a Korean-speaking actor.
The blog post and research paper are available at Securelist.com
Madi
Inactive since 2012
Backdoor
July 2012
Windows
2011
500-1,000
TOP TARGETED COUNTRIES:
Iran, Israel, USA, Pakistan
  • Social engineering
  • Cyberespionage
  • An unusual number of religious and political ‘distraction’ documents and images were dropped when the initial infection occurred.
  • The use of an amateurish and rudimentary approach helped the operation fly under the radar and evade detection
  • The malicious software was written by inexperienced programmers and contained many errors.
  • Madi targeted business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
  • Critical infrastructure engineering firms
  • Government entities
  • Financial institutions
  • Academia/Research
  • Business individuals
  • Some artifacts and the location of the victims suggested Iranian origins. The attackers were no doubt fluent in Persian - strings written in this language are littered throughout the malware and the C&C tools.
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2, blog post #3, blog post #4)
Kimsuky
Active
Backdoor
June 2013
Windows
2011
11-100
TOP TARGETED COUNTRIES:
South Korea
  • Unknown
  • Cyberespionage
  • Data theft
  • Remote control
  • Email accounts on various public mail services are used to control bots and serve as drop zones.
  • We have identified the following mail services that have been abused: mail.bg, hotmail.com, gmail.com, india.com, gmx.com, mail.com, zoho.com, indiatimes.com, 8panther.com
  • Academia/Research
  • Government entities
  • Private companies
  • Strings left by malware author in the compile paths of the malicious samples' bodies suggest the attack has Korean origins. Also we have been able to define the IP addresses from which attackers visited their email accounts to control the bots. All those IP addresses turned out to be Chinese areas bordering North Korea. Internet Providers from these areas are believed to provide Internet into North Korea. All this, as well as the fact that the targets are of specific interest to the North Korean government, could suggest that North Korea might be behind this threat actor.
The blog post and research paper are available at Securelist.com
Icefog
Inactive since 2013
Cyberespionage toolkit
June 2013
Windows, OS X
2011
101-500
TOP TARGETED COUNTRIES:
South Korea, Japan, China, USA
  • Social engineering
  • Cyberespionage
  • Data theft
  • Custom-made cyberespionage tools, particularly the "Icefog" backdoor set (also known as "Fucobha")
  • The attackers hijacked sensitive documents and company plans, e-mail account credentials, and passwords to access various resources inside and outside the victim's network.
  • This campaign demonstrated the emergence of small groups of cyber-mercenaries available for hire to perform surgical hit and run operations.
  • This small gang was going after the supply chain - a weak point of big businesses.
  • File stealing isn't automated, instead the attackers process their victims one by one - they locate and copy only relevant information.
  • Government entities
  • Military
  • Maritime and ship-building groups
  • Telecoms
  • Satellite operators
  • Mass media and TV
  • Energy, oil and gas companies
  • High technology companies
  • The name "Icefog" comes from a string used in the command-and-control server name of one of the malware samples .
  • The C&C software is named "Dagger Three" ("????") when translated from Chinese.
  • For martial arts fans, "????" is similar to "???", which is an ancient Chinese weapon.
The blog post and research paper are available at Securelist.com (blog post #1, blog post #2)
The Mask / Careto
Inactive since 2014
Cyberespionage toolkit
2013
Windows, OS X
2007
101-500
TOP TARGETED COUNTRIES:
Morocco, Brazil, United Kingdom, France, Spain, Switzerland, Libya, USA, Iran - 31 countries in total
  • Social engineering
  • Cyberespionage
  • The attackers use a very complex toolset that includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).
  • The group behind this attack shows a very high degree of professionalism in its operational procedures, suggesting that it is probably a state-backed campaign.
  • Government entities
  • Diplomatic organizations/embassies
  • Energy, oil and gas companies
  • Academia/Research
  • Private companies
  • Activists
  • Clues such as the use of the Spanish language are weak, as it is spoken in many countries, including Latin America, Mexico and the USA (for instance in Miami, where a strong Spanish-speaking community exists).
The blog post and research paper are available at Securelist.com
CosmicDuke
Active
Backdoor
2013
Windows
April 2012
101-500
TOP TARGETED COUNTRIES:
Top 10 countries: Georgia, Russia, USA, Great Britain, Kazakhstan, India, Belarus, Cyprus, Ukraine, Lithuania. Others include Azerbaijan, Greece and Ukraine.
  • Trojanized software installers
  • Data theft
  • The TinyBaron/CosmicDuke custom backdoor is compiled using a customizable framework called "BotGenStudio", which has sufficient flexibility to enable/disable components when the bot is constructed.
  • The attackers use strong self-protection to prevent antimalware solutions from analyzing the implant and detecting its malicious functionality via an emulator. It also complicates malware analysis.
  • CosmicDuke targets individuals involved in the traffic and selling of illegal and controlled substances. These victims have been observed only in Russia.
  • Diplomatic organizations/embassies
  • Energy, oil and gas companies
  • Telecoms
  • Military
  • Specific individuals
  • Although the attackers use English in several places, there are certain indicators – like strings in a block of memory appended to the malware component used for persistence – that make experts believe they are not native English speakers.
The blog post and research paper are available at Securelist.com
Crouching Yeti
Active
Backdoor, Remote administration tool
January 2014
Windows
2010
2,001-3,000
TOP TARGETED COUNTRIES:
USA, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, China
  • Social engineering
  • Exploits
  • Watering hole attacks
  • Trojanized software installers
  • Data theft
  • Interest in OPC/SCADA. Trojanized software used to administer remote OPC servers as well as modules to scan networks for OPC servers.
  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology
  • Russian-speaking authors
The blog post and research paper are available at Securelist.com
Wiper
Inactive since 2012
Data destroyer
April 2012
Windows
December 2011
Unknown
TOP TARGETED COUNTRIES:
Iran
  • Unknown
  • Data wiping
  • The creators of Wiper were extremely careful to destroy absolutely every last piece of data that could be used to trace the incidents
  • The malware was so well written that once it was activated, no data survived
  • Energy, oil and gas companies
  • Government entities
  • Wiper may have been related to Duqu and Stuxnet, given the common filenames.
The blog post and research paper are available at Securelist.com
Machete
Inactive since 2014
Trojan
2013
Windows
2010
500-1,000
TOP TARGETED COUNTRIES:
Venezuela, Ecuador, Colombia, Russia, Brazil, Peru, Cuba, Spain, Sweden, China, Germany, USA, Belgium, France, Malaysia
  • Social engineering
  • Data theft
  • Cyberespionage
  • Has the functionality to extract stolen information from infected computers via a special USB stick that can be connected locally. The attackers introduced this feature to make sure even if the network infrastructure is compromised or destroyed, the stolen information could still be extracted. Some modules are written in Python language, which is not common for targeted attacks.
  • Military
  • Diplomatic organizations/embassies
  • Intelligence agencies
  • Government entities
  • A Spanish speaking country from Latin America interested in the politics and military affairs of the mentioned targets
The blog post and research paper are available at Securelist.com
Black Energy
Active
Complex cyberattack platform
December 2013
Windows, Linux, Cisco IOS
2010
500-1,000
TOP TARGETED COUNTRIES:
Russia, Ukraine, Poland, Lithuania, Belarus, Azerbaijan, Kyrgyzstan, Kazakhstan, Iran, Israel
  • Social engineering
  • USB drives
  • LAN spreading
  • File infection
  • Cyberespionage
  • DDoS
  • Data theft
  • Data wiping
  • The malware has a wide range of targets: power generation site owners, power facilities construction, power generation operators, large suppliers and manufacturers of heavy power related materials, investors, high level government, other ICS construction, federal land holding agencies, municipal offices, federal emergency services, space and earth measurement and assessment labs, national standards body, banks, high-tech transportation, academic research.
  • BlackEnergy is designed to execute "tasks" that are commissioned by its C&C servers and implemented by the plugins. Apart from the Windows plugins, there are known plugins for ARM/MIPS architecture and tcl scripts for Cisco.
  • Wide range of targets
  • Russian-speaking authors
The blog post and research paper are available at Securelist.com
Regin
Active
Complex cyberattack platform, Trojan, Rootkit
spring of 2012
Windows
2003
11-100
TOP TARGETED COUNTRIES:
Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria, Russia
  • Unknown
  • Cyberespionage
  • Facilitating other types of attacks
  • Remote control
  • Regin – the first cyber-attack platform known to penetrate and monitor GSM networks in addition to other “standard” spying tasks.
  • One particular Regin module is capable of monitoring GSM base station controllers, collecting data about GSM cells and the network infrastructure.
  • The Regin platform uses an incredibly complex communication method between infected networks and command and control servers, allowing remote control and data transmission by stealth.
  • Specific Regin targets include individuals involved in advanced mathematical/cryptographical research
  • Telecoms
  • Government entities
  • Multi-national political bodies
  • Financial institutions
  • Academia/Research
  • Specific individuals
  • Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state.
The blog post and research paper are available at Securelist.com
Cloud Atlas
Active
Trojan
August 2014
Windows, Android, iOS, Linux
2014
11-100
TOP TARGETED COUNTRIES:
Russia, Kazakhstan, Belarus, India, The Czech Republic
  • Social engineering
  • Exploits
  • Cyberespionage
  • Data theft
  • CloudAtlas represents a rebirth of the RedOctober attacks.
  • Some of the victims of RedOctober are also targeted by CloudAtlas.
  • Both Cloud Atlas and RedOctober malware implants rely on a similar construction, with a loader and a final payload that is stored, encrypted and compressed in an external file.
  • CloudAtlas implants utilize a rather unusual C&C mechanism - all malware samples communicate with accounts from a cloud services provider.
  • The Microsoft Office exploit doesn’t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.
  • Diplomatic organizations/embassies
  • Government entities
  • The same threat actor as behind the Red October attacks
The blog post and research paper are available at Securelist.com
Carbanak
Active
Backdoor
2014
Windows
2013
11-100
TOP TARGETED COUNTRIES:
Russia, USA, Germany, China, Ukraine, Canada, Taiwan, Hong-Kong, United Kingdom, Spain, Norway, India, France, Poland, Pakistan, Nepal, Morocco, The Czech Republic, Switzerland, Bulgaria, Australia, Iceland, Brazil
  • Social engineering
  • Exploits
  • Stealing money
  • Surveillance
  • First ever criminal APT
  • Carbanak cybergang was able to steal $1bn from 100 financial institutions worldwide
  • The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users.
  • The largest sums were grabbed by hacking into banks and stealing up to ten million dollars in each raid.
  • Financial institutions
  • Responsibility for the robbery rests with a multinational gang of cybercriminals from Russia, Ukraine and other parts of Europe, as well as from China.
The blog post and research paper are available at Securelist.com
The open IOC file is available here
Desert Falcons
Active
Trojan, Backdoor
2014
Windows, Android
2011
3,001-5,000
TOP TARGETED COUNTRIES:
Palestine, Egypt, Israel, Jordan, USA, Iraq, Kingdom Saudi Arabia, United Arab Emirates, South Korea, Morocco, Qatar, Russia, Lebanon, Iraq, Canada, Germany, China, Kuwait, Norway, Turkey, Sweden, France, Mexico, Morocco and others
  • Social engineering
  • Cyberespionage
  • Data theft
  • Surveillance
  • the First Known Arabic Cyber Espionage Group
  • Financial institutions
  • Activists
  • Specific individuals
  • Academia/Research
  • Government entities
  • Critical infrastructure engineering firms
  • Business individuals
  • Energy, oil and gas companies
  • Military
  • Trade and commerce
  • Private companies
  • Journalists
  • Politicians
  • Mass media and TV
  • Industrial/machinery
  • Manufacturing
  • Construction
  • Education
  • The Desert Falcons team members count around 30, working in three teams and operating mainly from Palestine, Egypt and Turkey.
The blog post and research paper are available at Securelist.com
Research stages
A comprehensive APT research project consists of several stages:
1 Adding detection for known modules
2 Collecting samples
3 Reversing the samples
4 Decrypting sophisticated encryption and compression schemes
5 Understanding lateral movement
6 Outlining multiple attack stages in the correct order
7 Mapping C&C infrastructure
8 Setting up sinkholes
9 Analyzing collected traffic and communication protocols
10 Crawling other hosts that understand the same protocol
11 Taking down and acquiring images of C&C servers
12 Identifying victims, sending out notifications to victims and global CERTs
13 Applying forensic analysis and extracting logs, stolen files, other components
14 Collecting and analyzing data from KSN, C&C servers, individual victims who are willing to work with us, sinkholes, crawlers, etc.
15 Writing a comprehensive report
READ MORE
CONTACT US
For any inquiries, please contact apt.securelist@kaspersky.com

If you are looking for more detailed information about an APT,
please contact intelreports@kaspersky.com
Mitigation Strategies
Mitigation is where enterprises need to start, prevention being significantly more effective and more cost-efficient than remediation after an attack


READ MORE
Information
The Logbook User Guide