Poseidon Group: For the first time, a massive espionage campaign with a basic language Brazilian Portuguese and targeting financial institutions, telecommunication organizations, industrial companies, energy providers and the media
Kaspersky Lab's Global Research and Analysis Team announced the revelation of the Poseidon Group, an advanced threatening agent, conducting global espionage operations from at least 2005. What makes the group behind the Poseidon Group separate is that it is a "commercial" entity, whose attacks include custom malware, digitally signed with forged certificates, designed to intercept sensitive data from victims, so to force them to develop economic relations. In addition, malware is designed to work specifically on computers with Windows installed in English and Brazilian Portuguese, which is the first time in the times of targeted attacks.
At least 35 victim enterprises have been identified, with major targets including financial and governmental organizations, telecommunications providers, industrial companies, energy companies and other utilities, as well as mass media and PR firms. Also, Kaspersky Lab specialists have identified attacks on service providers that appeal to top executives. Victims of this group have been identified in the following countries:
- USA
- France
- Kazakhstan
- United Arab Emirates
- India
- Russia
However, the dispersal of the victims is reportedly leading to Brazil, where many of the victims have joint ventures or have business partnerships.
One of the characteristics of the Poseidon Group is the active exploration of domain-based corporate networks. According to analysis by Kaspersky Lab, the Poseidon Group bases its activity on spear-phishing emails with RTF/DOC files (usually using HR issues as bait), which "unleash" a malicious binary code on the target's system, once the target tries to open them. Another important finding is the presence of the Brazilian Portuguese language. The group's preference for Portuguese systems, as revealed by the samples, is a practice that has not been observed before.
Μόλις ένας υπολογιστής προσβληθεί, το κακόβουλο λογισμικό αναφέρεται στους command and control servers, πριν ξεκινήσει μια σύνθετη φάση «πλευρικής κίνησης». Σε αυτή τη φάση, αξιοποιείται συχνά ένα εξειδικευμένο εργαλείο που αυτόματα και επιθετικά συλλέγει ένα ευρύ φάσμα πληροφοριών, συμπεριλαμβανομένων των διαπιστευτηρίων, των πολιτικών διαχείρισης ομάδων, ακόμη και των αρχείων καταγραφής του συστήματος, ώστε να προετοιμάσει καλύτερα επιπλέον επιθέσεις και να εξασφαλίσει την εκτέλεση του κακόβουλου software. This way, attackers actually know what applications and commands they can use, without "raising an alarm" for the network administrator during the "lateral movement" and data exfiltration processes.
The information gathered is then harnessed by a "security firm" to convince victim companies to hire the Poseidon Group as a security adviser under the threat of exploiting the stolen information in a series of suspicious business deals for the benefit of of the Poseidon Group.
"The team Poseidon GROUP has a long-term effect in many areas. Some of its command and control centers have been located in Internet connection providersnetwork, who offer their services to ships at sea, wireless connections, as well as traditional carriers"Said Dmitry Bestuzhev, Director of Kaspersky Lab's Worldwide Research and Analysis Group in Latin America. "In addition, many of the" implants "they use have a very short life span, which has allowed this group to operate for a very long time without being identified."
As the Poseidon Group has been active for at least ten years, the techniques used to design its implants have evolved, making it difficult for many researchers to associate markers and "complete the puzzles" of the case. However, by carefully collecting all the evidence, studying the threats and writing the attacker's timeline, Kaspersky Lab's experts managed to prove in the middle of 2015 that traces previously identified but not recognized in the reality belonged to the same threatening factor in the Poseidon Group.
Kaspersky Lab products detect and remove all known malware versions of the Poseidon Group.
The full report on the action of the Poseidon Group, which includes a detailed description of the malicious tools and indexes of insult, is available on the website Securelist.com.
