Category Archives: Persistent Threats

Mask/Careto Unmasked, Shadowy Spanish Spybots Slink into Sunset

Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.

Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and   could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.

The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.

The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.

“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”

Dan Gifford- MCySec Media Manager

The Syrian Electronic Army: Mediums of Disinformatics


“We are just Syrian youths who want to defend their country against the media campaign that is full of lies and fabricated news reports”

The Syrian Electronic Army (SEA) most likely began at least in part as an outgrowth of the Syrian Computer Society (SCS), an internet and information science advocacy group founded by the late Basil Al-Assad in 1989, and later led by Bashar Al-Assad prior to his elevation to the presidency. In 1997 there were only 35,000 computers in the country, two for every thousand people.  The early days of Syria’s acceptance of the internet were marked by significant bureaucratic trepidation, predominantly motivated by concerns of cultural penetration. The opposing camp was urged onward by a recognition that in the face of heavy usage of the internet by other nations, especially Israel, Syrian perspectives were being drowned out. Surveys conducted in 1998 by an early advocate, Dr. Imad Mustafa, found that of 1.5 million documents on the web dealing with Syrian aspects of the Arab-Israeli conflict, 56% had been written by Israeli organizations, 18% by Zionist groups outside of Israel and another 17% were written by US government organizations. On issues rich with nationalistic fervor such as the Golan Heights, the survey found that there were essentially no existing sources or documents on the internet which were benign to Syrian interests, and that 71% of the documents were absolutely hostile to Syrian perspectives. This preoccupation with “correcting” the established media narrative has fed directly into the ethos of the SEA, though they also engage in “punishing” media outlets by propagating false news events.

The personnel evolution of the group can be roughly split into two phases. In the early phase of the group their website from May of 2011, was hosted by the SCS, and the domain registration pointed to the same group. A later site,, was registered with the approval of the SCS. By May of 2013, however, the SCS cut all of these ties and disabled use of the site. There may have been significant personnel changes later in the 2011 era, and it is entirely possible that the activists who shared membership in SCS and SEA left at that point. The second phase of the group was much more shadowy, international and varied in their technical aptitude.

The method of attacks has been multi-pronged, from website defacement and redirects, to propaganda posting on facebook, and in some cases campaigns distributing malware (intended to reveal the identity and activity of online actors) against the Syrian Opposition. Recent operations have been heavily focused on compromising social media accounts of news organizations and celebrities.

In April of 2013 SEA conducted spearphishing (directed emails designed to steal user credentials and other data) attacks which resulted in them obtaining control of the Associated Press twitter account, which they used to spread a false story about an explosion at the White House which injured the President.


The tweet caused a temporary drop in the Dow Jones Industrial Average of over a hundred points, but AP was quickly able to regain control of their twitter account and retract the false story.


This method of attack has proven to be both high profile and high impact, and the group seems to have generally shifted focus onto compromising social media accounts. These compromises have been varied in intent, from posting false information for shock value to pushing propaganda against perceived international enemies of Syria and Al-Assad. This week there has been a compromise of CNN’s twitter account and website, used both to spread propaganda in favor of Al-Assad and to plant a false news story apparently intended to disrupt financial markets. Increasing attempts to manipulate markets may indicate economic motives behind SEA operations, especially if these actions are combined with short-selling, though this connection would require further analysis for confirmation.

CNN hacked syrian-electronic-army-hack-cnn


The Syrian Electronic army represents a new type of cyber actor, one which is both a hacktivist group in the vein of Anonymous, and a state sponsored group much like many in operation across the world. However, unlike many hacking groups with state sponsorship, SEA concentrates on propaganda operations instead of espionage for military or economic reasons. In this sense they bear some similarity to groups like the Chinese Honker Union, and Russian hacktivist movements which have surrounded military operations and international controversies in Estonia and Georgia. The funding for the group remains murky. There are allegations that Rami Makhlouf, a billionaire cousin of Bashar Al-Assad, supported the group in leaving Syria and basing their operations in other Arab states, and continues to provide accommodations for group members. There are also rumors that hackers are paid between five hundred and a thousand dollars for successful website compromises.

Dan Gifford – MCySec Media Manager



Flames of the Dragon: A Profile of the PRC’s Cyber Situation

Since February of last year when the Mandiant Report was released, China has been at the forefront of cyber security news. It has become apparent that the PRC is waging all-out economic warfare through the use of widespread cyber espionage, intellectual property theft and massive data-exfiltration operations. China has a long history of copy-cat behavior and convoluted laws regarding intellectual property rights which support their various motivations for engaging in cyber espionage. Although much of this activity has been attributed to the Comment Crew (also referred to as APT1 by Mandiant), there are several organizations within the PRC’s hierarchy that contribute to these cyber intelligence operations.

There is also a looming concern over the PRC’s rapid expansion of their cyber-warfare capabilities. China appears focused on using their advances in cyber to balance their disparity with the U.S.’s traditional military technology and to add an additional layer to their anti-access strategy. A more frightening prospect is a build-up of military strategy that supports preemptive cyber-attacks which could lead to a cyberwar between the U.S. and China. This scenario may seem unlikely, but the NSA claimes to have foiled several Chinese cyber-attack attempts and there are reports of other recent cyber-attacks against the U.S. power grid.

The U.S. is not the only country that is concerned with China’s cyber behavior. The U.K. has addressed the PRC’s cyber espionage and expressed concern over the intentions of China’s Huawei Telecommunications company. Other European countries have accused China of accessing their foreign ministries as well. Mongolia has managed to join China’s target list having received a recent barrage of attacks, most likely in response to Mongolia’s outreach to Western nations. However, China’s cyber-attacks are not focused entirely on foreign nations. One of China’s primary targets for offensive cyber action is it’s own Tibet Autonomous Region. Several reports state that Tibet has become ground-zero for Chinese hackers and cyber-attacks in the PRC’s hunt for political dissidents within the region.

The PRC is committed to denying allegations that their central government is behind these cyber-attack and cyber-espionage campaigns. Several authorities within the U.S. also have expressed doubts over the hype of cyber escalation between the U.S. and China. The Obama administration has taken steps to initiate talks between the U.S. and China for improving cyber security between the two nations. The mood remains tense, especially following the revelations of Edward Snowden, with China accusing the U.S. of maintaining a double-standard in its behavior. Despite a steep decline in Chinese cyber activity following the release of Mandiant Report, China is back on the offensive with a resurgence of cyber-espionage efforts. It will be interesting to see where things go from here.

- by Ben Volcsko, Research Assistant

FBI Asking Tech Vendors to Install Backdoors

Wickr’s Nico Sell has disclosed in a PCMag article that she was approached by the FBI at a security conference, and that an agent casually asked if she would be willing to install a backdoor for them in her company’s encrypted communication app. Sell refused, saying that even if the claims of the FBI are legitimate, “It was very clear that a backdoor for the good guys is  always a backdoor for the bad guys.”

Wickr’s laudable stance aside, the question remains as to how many other technology companies have been more forthcoming with granting access to state agencies. If an approach is made to every major app developer, how many of the apps on your phone can you trust? And if one is compromised, and has rights to read all information on the machine, is everything else likewise compromised?

For All of You Sinophiles Out There…

The Australian Strategic Policy Institute (ASPI) produced a great report on the People’s Republic of China’s cyber intelligence capabilities. Titled Enter the Cyber Dragon: Understanding Chinese Intelligence Agencies, this report is a great starting point for getting a grip on what the PRC is up to in the world of cyber espionage.

- by Ben Volcsko, Research Assistant

Cyber Threats to the Global Oil Supply Chain

The Federation of American Scientists has published a paper detailing threats to the global oil supply chain. Rounding out a list of major regional and geopolitical threats to the global oil infrastructure, the risks of SCADA and other attacks on pipelines, tanker ships, and refineries does seem substantial. The author is a little off base in suggesting that STUXNET type weapons could be used to attack oil systems- the sophistication of oil systems is much less than that seen in the Iranian nuclear enrichment program, and as such a STUXNET level weapon would probably be overkill. Even still, Despite significant vulnerabilities of the often unprotected systems to the internet and other venues of attack, major SCADA attacks have not yet become prevalent. The author is also somewhat mistaken in assessing that groups such as the Syrian Electronic Army could have the capabilities to conduct major SCADA infrastructure attacks. SEA capabilities are simply not on that level, and they have concentrated primarily on hacking email accounts by abusing password resets and other social engineering methods, rather than the technical expertise that would be necessary to deploy custom attack tools on SCADA. These technical quibbles aside, the author is entirely correct in his assessment that the complexity of the logistics operations involved in global oil systems provides a major avenue of attack, and I must agree that these sorts of attacks are waiting over the horizon.

Dan Gifford – MCySec Media Manager


The Sunshop Digital Quartermaster – a State Cyber-Espionage Armory?

Cyber-security research firm FireEye has published a new report alleging that there may be a single actor providing important code development resources to as many as 11 separate APT campaigns. All of the tools have been written using a Chinese language character set, pointing to the likely national origin of this tool provider. FireEye alleges that this “Quartermaster” may be something of a digital arms dealer, enabling various APT teams to construct attack tools using point and click interfaces rather than advanced coding skills.

FireEye first discovered the digital breadcrumbs leading to their conclusion while examining the Sunshop water-holing attack which took over legitimate websites and used them to redirect browsers to malware sites. The 11 APT groups that they connected through their investigation were found to share resources in various combinations, among them: Portable executable resources, Pilfered Digital Certificates, API import tables, Compile times, and C2 (Command and Control) Infrastructure. FireEye’s highest confidence assessment is that a “Sunshop Digital Quartermaster” (SDQ) exists which supports a variety of separate APT campaigns as part of a “formal offensive apparatus”. While some of the APT campaigns are also using malware obtained from the digital black market, most of them are heavily reliant on tools which are not available on the criminal internet underground and almost certainly originated with a single source, this “SDQ”.  FireEye does acknowledge that it is still possible that the APT groups simply share these programs informally, but there is substantial evidence that there is a single originating source of the tools within the code examples they have analyzed in the report.

Dan Gifford – MCySec Media Manager

Red October(?) Evolves, Hits Finnish Foreign Ministry

The Red October RAT (Remote Access Tool) which has been extensively analyzed by Kaspersky appears to have continued its development. The Finnish Foreign Ministry has disclosed that they were the victims of a penetration attack going on over four years. The tool used in the attack was specifically described as “not Red October”, however there were similarities.  The research and analysis of the attack is ongoing, but it appears to have first been detected earlier this year. The attack targeted data traffic between the Ministry and the EU, and the Finns have rather nebulously said that they believe “China or Russia” is the originating actor.

“Paunch” Punches Out, Blackhole Kit Hits the Rocks

The Blackhole Exploit Kit, one of the more popular methods of delivering criminal malware to unsuspecting users, has run into a number of difficulties in the last few days. The leading crimeware kit, which has usually been updated as often as twice a day to stay ahead of antivirus detection rules, has not been updated in over a week. This comes amid rumors of the arrest of “Paunch”, the kit’s creator, in Russia. Russian authorities have confirmed the arrest to Europol and news agencies.

The Blackhole kit is by far the most popular exploit injection architecture in recent use, and typically operates through using infected sites to foist java vulnerabilities and criminal malware on unsuspecting surfers, though it has also been used to attack users through phishing emails with links to  malicious sites. While other services are used to manage the development of the specific exploit payloads (Zeus is a standout in this category), the objective of the Blackhole kit and similar programs is serving these payloads up to users using java and other platform vulnerabilities. The arrest of “Paunch” will no doubt lead to the market migrating to other service providers. It must be remembered that this niche is incredibly lucrative- user licenses for Blackhole cost up to $50 per day, or $500 per month.

Dan Gifford – MCySec Media Manager