Poseidon Group: For the first time, a massive espionage campaign with a basic language Brazilian Portuguese and targeting financial institutions, telecommunication organizations, industrial companies, energy providers and the media
The World Research and Analysis Group of the Kaspersky Lab ανακοίνωσε την αποκάλυψη της ομάδας Poseidon Group, ενός προηγμένου απειλητικού παράγοντα, που διεξάγει παγκόσμιες επιχειρήσεις ψηφιακής κατασκοπίας τουλάχιστον από το 2005. Αυτό που καθιστά την ομάδα πίσω από το Poseidon Group ξεχωριστή είναι ότι αποτελεί μια «εμπορική» οντότητα, της οποίας οι επιθέσεις περιλαμβάνουν προσαρμοσμένα κακόβουλα προγράμματα, υπογεγραμμένα ψηφιακά με πλαστά πιστοποιητικά, τα οποία έχουν σχεδιαστεί με στόχο να υποκλέπτουν ευαίσθητα δεδομένα από τα θύματα, ώστε να τα εξαναγκάσουν στην ανάπτυξη οικονομικών σχέσεων. Επιπλέον, το malicious software is designed to run specifically on computers with Windows installed in English and Brazilian Portuguese, a first seen in the annals of targeted attacks.
At least 35 victim enterprises have been identified, with major targets including financial and governmental organizations, telecommunications providers, industrial companies, energy companies and other utilities, as well as mass media and PR firms. Also, Kaspersky Lab specialists have identified attacks on service providers that appeal to top executives. Victims of this group have been identified in the following countries:
- USA
- France
- Kazakhstan
- United Arab Emirates
- India
- Russia
However, the dispersal of the victims is reportedly leading to Brazil, where many of the victims have joint ventures or have business partnerships.
One of characteristics της ομάδας Poseidon Group είναι η ενεργή εξερεύνηση των domain-based εταιρικών δικτύων. Σύμφωνα με ανάλυση της Kaspersky Lab, η ομάδα Poseidon Group στηρίζει τη δράση της σε spear-phishing email με αρχεία RTF/DOC (χρησιμοποιώντας συνήθως ζητήματα ανθρώπινου δυναμικού ως δέλεαρ), τα οποία «απελευθερώνουν» έναν κακόβουλο δυαδικό κώδικα στο system of the target once he tries to open them. Another important finding is the presence of the Brazilian Portuguese language. The group's preference for Portuguese systems, as revealed by the samples, is a practice that has not been observed before.
Once a computer is infected, malware refers to the command and control servers before launching a complex "side motion" phase. At this stage, a specialized tool is often deployed that automatically and aggressively collects a wide range of information, including credentials, group management policies, and even system logs, to better prepare additional attacks and ensure malicious execution software. In this way, attackers really know what applications and commands they can use without "alarming" the network administrator during "sidewalking" and data outflows.
The information gathered is then harnessed by a "security firm" to convince victim companies to hire the Poseidon Group as a security adviser under the threat of exploiting the stolen information in a series of suspicious business deals for the benefit of of the Poseidon Group.
"The team Poseidon GROUP has long-lasting action in many areas. Some of its command and control centers have been found in Internet connectivity providers that offer their services to sea-going vessels, wireless connections as well as traditional carriers"Said Dmitry Bestuzhev, Director of Kaspersky Lab's Worldwide Research and Analysis Group in Latin America. "In addition, many of the" implants "they use have a very short life span, which has allowed this group to operate for a very long time without being identified."
As the Poseidon Group has been active for at least ten years, the techniques used to design its implants have evolved, making it difficult for many researchers to associate markers and "complete the puzzles" of the case. However, by carefully collecting all the evidence, studying the threats and writing the attacker's timeline, Kaspersky Lab's experts managed to prove in the middle of 2015 that traces previously identified but not recognized in the reality belonged to the same threatening factor in the Poseidon Group.
Kaspersky Lab products detect and remove all known malware versions of the Poseidon Group.
The full report on the action of the Poseidon Group, which includes a detailed description of the malicious tools statistics and attack indicators, is available on the website Securelist.com.
