Connect with us

Hi, what are you looking for?

HEADLINES

The APT wars: cybercriminal groups attacking each other

In 2014, Hellsing, a small and technically unremarkable cyberespionage group targeting mostly government and diplomatic organizations in Asia, was subjected to a spear-phishing attack by another threat actor and decided to strike back.

Kaspersky Lab believes that this could mark the emergence of a new trend in criminal cyberactivity: the APT (Advanced Persistent Threat) wars.

The discovery was made by Kaspersky Lab experts during research into the activity of Naikon, a cyberespionage group also targeting organizations in the Asia-Pacific region.

The experts noticed that one of Naikon’s targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment.

Advertisement. Scroll to continue reading.

The target questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter the target forwarded to the sender an email containing the target’s own malware. This moved triggered Kaspersky Lab’s investigation and led to the discovery of the Hellsing APT group.

The method of counter-attack indicates that Hellsing wanted to identify the Naikon group and gather intelligence on it.

Deeper analysis of the Hellsing threat actor by Kaspersky Lab reveals a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organizations.

If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself. According Kaspersky Lab’s observations, the number of organizations targeted by Hellsing is close to 20.

Hellsing Targets

Advertisement. Scroll to continue reading.

The company has detected and blocked Hellsing malware in Malaysia, the Philippines, India, Indonesia and the US, with most of the victims located in Malaysia and the Philippines.

The attackers are also very selective in terms of the type of organizations targeted, attempting to infect mostly government and diplomatic entities.

“The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting-“Empire Strikes Back” style, is fascinating. In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack,” said Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab.

According to Kaspersky Lab analysis the Hellsing threat actor has been active since at least 2012 and remains active.

Protection

Advertisement. Scroll to continue reading.

To protect against Hellsing attacks, Kaspersky Lab recommends the following basic security best practices:

  • Don’t open suspicious attachments from people you don’t know
  • Beware of password protected archives which contain SCR or other executable files inside
  • If you are unsure about the attachment, try to open it in a sandbox
  • Make sure you have a modern operating system with all patches installed

Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader.

Kaspersky Lab products successfully detect and block the malware used by both the Hellsing and Naikon actors.

KL_Hellsing

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

The PLDT wireless unit is also calling on customers to report these messages to Smart’s HULISCAM portal for further action.

HEADLINES

Here are some tips from Sophos for staying secure online during the cybersecurity awareness month.

HEADLINES

While only 21% of hackers believed that AI technologies enhance the value of hacking in 2023, 71% reported it to have value in 2024....

HEADLINES

Kaspersky has enhanced its Kaspersky Industrial CyberSecurity (KICS), a native XDR Platform for industrial enterprises, and streamlined Managed Detection and Response (MDR) for Industrial...

HEADLINES

Located in the Kaspersky office, the new facility will provide the company’s stakeholders with services ranging from an overview of Kaspersky’s practices, to a...

HEADLINES

Smart and Maya emphasize that they never send SMS with links requesting login credentials, personal information, or account verification. If you receive such a...

HEADLINES

In this new scheme, scammers call potential victims claiming that their phone number has been linked to illegal activities. The fraudsters would then extort...

White Papers

With an increase of 9% the industry is one of only three sectors with an increasing attack rate beside healthcare (+7%) and financial services...

Advertisement