One of the most interesting characteristics of the MiniDuke attacks was the combination of a threat with
code written using a complex, ‘old school’ approach, and rela
tively new, yet tried-and-true, exploittechnologies targeting Adobe Reader vulnerabilities.The attackers sent out malicious PDF documents with exploits targeting versions 9 through 11 of AdobeReader. The documents contained information about a seminar on human rights (ASEM), news about
Ukraine’s foreign policy, and the plans of NATO countries. If an exploit was successful, the victim’s
computer would be infiltrated by a unique backdoor, small at just 20 KB, written in Assembler.The cybercriminals used Twitter in this attack: in order to obtain C&C server addresses and subsequentlydownload new malicious modules, the backdoor sought out special tweets from previously createdaccounts. As soon as the infected system established a connection with the command server, it wouldbegin to receive encrypted modules (backdoors) bundled with GIF files. These modules had relativelysimple functions: copying, moving and deleting files, creating directories, and downloading newmalicious programs.
In February, Mandiant published a large PDF report on the attacks launched by a certain group of
Chinese hackers going by the name of APT1. The term APT (Advanced Persistent Threat) is still a buzz
word. Yet sometimes it refers to threats or attacks that aren’t exactly “advanced”
. However, in the case
of APT1, “advanced”
is no exaggeration
this campaign run by Chinese hackers is large-scale and not tobe taken lightly.The Mandiant reports starts off by stating that APT1 appears to be a division of the Chinese army. Thecompany even included a possible physical address for the division, and estimated the number of peopleinvolved and the infrastructure used. Mandiant believes that APT1 has been operating since 2006, andthat over the course of 6 years it has managed to steal terabytes of data from at least 141 organizations.The victim organizations are primarily located in English-speaking countries. No doubt these massiveattacks would not have been possible without real support from hundreds of people and a developed,modern infrastructure.This is definitely not the first time that China has faced accusations of its involvement of cyberattacksagainst government agencies and organizations in countries around the world. And there is nothing
particularly surprising about the Chinese government’s firm rejection of the assertions made in the
Mandiant report.Note that up till now, no country has ever claimed responsibility for any cyberespionage attack, or hasadmitted to involvement in cyberespionage under pressure from public or agency evidence.
In March 2013, information was published about the latest in a line of complex attacks targeting high-
ranking politicians and human rights advocates in the CIS and Eastern Europe. The operation was
,” as the remote admin program TeamViewer was used by the attackers to control
victim computers. The main objective of this attack was to gather information from user computers,starting with screenshots and ending with copies of .pgp files, including passwords and encryption keys.Even though the tools used in the TeamSpy operation
and even the operation itself
didn’t seem all
that sophisticated or professional compared to the Red October operation, the TeamSpy attacks werealso successful.