Cyber Espionage: Energy Firms Eyed

Monday, September 24, 2012 @ 05:09 PM gHale

There is a cyber espionage campaign targeting several large companies, including two in the energy sector, Dell SecureWorks researchers said.

The campaign targeted an oil company in the Philippines, an energy firm in Canada, a military organization in Taiwan and other unidentified targets in Brazil, Israel, Egypt and Nigeria.

RELATED STORIES
Flame Siblings Remain Undetected
Flame Goes into Delete Mode
Saudi Aramco Back Up after Attack
Saudi Aramco Hacked

Mirage is the second cyber espionage campaign uncovered this year by the Counter Threat Unit (CTU) of security firm Dell SecureWorks.

The first campaign, dubbed Sin Digoo, targeted several petroleum companies in Vietnam, government ministries in different countries, an embassy, a nuclear safety agency and other business related groups.

The Dell SecureWorks researchers believe either the same group is behind both campaigns, or whoever is responsible for Mirage is working closely with those behind Sin Digoo.

There does seem to be a connection between the two attacks. The owner of three command and control domain names in the Mirage campaign has a connection to someone using the same email addresses as the owner of several C&C domains used in the Sin Digoo campaign.

The command and control IP addresses belong to the China Beijing Province Network (AS4808), said researchers. The China Beijing Province Network does have connections to malware and espionage.

The security researchers said the Mirage malware avoids detection by disguising its command and control communications as Google Searches by using SSL communications and a similar URL pattern to that of a Google Search.

According to testing site Virus Total, only half of the major anti-virus scanners detected Mirage.

Victims of the Mirage campaign end up hit by spear phishing emails containing a malicious executable. Clicking on the attachment drops a pdf, along with the executable.

One of the spear phishing emails used in this campaign contained a pdf of a news story titled “Yemeni Women can participate in politics just like men, says President Saleh”.

Energy companies, along with pharmaceutical and high-tech industries, are the most common targets of these advanced persistent threat campaigns, said Don Smith, technology director at Dell SecureWorks.

“But we are seeing other industries now being targeted, and all businesses should ask themselves just how confident they are that their cyber security regime minimizes the risks of attack, but I would say very few in my experience,” he said.

Researchers at Dell SecureWorks have identified more than 580 separate families of malware related to targeted advanced persistent attacks.

In the face of this new breed of attacks, Smith said organizations should ensure they had a layered approach to security.

“There is no silver bullet to deal with these attacks which is why businesses need to have protections at all levels,” he said.

Organizations need to understand the threat landscape, who is likely to attack them and why, said Smith.

Where possible, he said, this should include a forensic capability so in the event of an attack, an organization can identify exactly what went wrong.

“Information security professionals must talk to the business executives to find out what they are most worried about losing and create an informed security strategy based on that,” said Smith.



Leave a Reply

You must be logged in to post a comment.