‘Massive’ Russian Cyber Crime Campaign Hit Governments

A gang of Russian cyber criminals has been carrying out a large-scale cyber attack campaign against organisations including government and transport bodies, according to security firm WebSense.

Using the Mevade malware, which has a Tor command and control functionality to hide operations, the crooks went after entities in the US, UK, Canada and India, the security firm says. The campaign started around 23 July, and may also have involved actors in Ukraine were also involved.

Hundreds infected in cyber campaign

“This campaign has infected hundreds of organisations and thousands of computers worldwide and appears to be used for a variety of purposes, including redirecting network traffic and click fraud, as well as search result highjacking,” Websense wrote in a blog post.

See below for a geographical breakdown of the cyber campaign, with targets in blue, and command and control infrastructure in red:

The malware appeared to use a number of tricks to evade detection outside of disabling anti-virus systems. It checked for the presence of the Sandboxie tool used by researchers to analyse malware as well as for Oracle VirtualBox services, indicating it would know if it was running in a virtual environment.

It also used a lightweight proxy called 3proxy so the attackers could get commands to run direct from the malware and on to a target network, Websense said.

“In these cases, the Proxy is configured as a reverse proxy, with the ability to tunnel through NAT (Network Address Translated) environments to create a connection to the attacker’s infrastructure and initiate a backdoor directly into the target network (in this case, using SSL over port 443),” the company added.

“The use of reverse proxies indicates that the cyber-criminals plan to manually scan a network and move laterally towards more critical apps and information (such as databases, critical systems, source-code, and document repositories) than might exist on the original machine that has been compromised.”

How well do you know Internet security? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Marriott Agrees To Pay $52 Million To Settle Data Breaches

To settle US federal and state claims over multiple data breaches, Marriott International agrees $52…

2 days ago

Tesla Shares Drop After Cybercab Unveiling

Mixed reactions as Elon Musk hypes $30,000 'self driving' robotaxi called Cybercab, as well as…

2 days ago

AMD Launches New AI, Server Chips To Expand Nvidia Challenge

AMD unveils new AI and data centre chips as it seeks to improve challenge to…

3 days ago

Chinese Hackers Breach US Wiretap Systems – Report

AT&T and Verizon among US broadband providers reportedly hacked to target American government wiretapping platform

3 days ago