Servers in the UK and US appear to be behind a host of cyber-attacks on former USSR countries
Security firm Trend Micro has discovered a web of advanced, persistent, targeted attacks which have compromised 1,465 computers in 61 countries.
The attacks use the “Lurid Downloader”, often referred to as Enfal, which is a well-known malware family. The toolkit cannot be purchased on the open black hat market but has been used in the past to target US organisations.
Shades Of The Cold War
In the current wave of attacks, the main targets are in Russia, Kazakhstan and Vietnam, with some former Soviet Union states (Commonwealth Independent States) also under attack. India and Mongolia also saw some Lurid activity.
Trend Micro said that it has been able to identify 47 victims so far and these include diplomatic missions, government ministries, space-related government agencies and other companies and research institutions – which hints at a nation state being behind the Lurid attacks. Servers running the attack appear to be located in the UK and US, Trend Micro’s Rik Ferguson told The Register.
Reporting in the Trend Micro blog, senior threat researchers David Sancho and Nart Villeneuve wrote: “As is frequently the case, it is difficult to ascertain who is behind this series of attacks because it is easy to manipulate artefacts, e.g. IP addresses and domain name registration, in order to mislead researchers into believing that a particular entity is responsible.
“Although our research didn’t reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets,” they concluded.
The current wave of exploits mirrors the Operation Aurora cyber-attack on Google and other companies which, for Google, lasted several months in 2009 and gave rise to the name Advanced Persistent Threats (APTs). Adobe Systems, Juniper Networks and Rackspace publicly confirmed being targeted. According to reports in the press, Yahoo, Symantec, Northrop Grumman, Dupont, Morgan Stanley and Dow Chemical were also targeted.
According to McAfee, who first publicised Aurora, the aim was to gain access to source code repositories at these high tech, security and defence contractor companies.
Uncovering such attacks is a vital part of security researchers work because it gives a better understanding of the challenges that defence systems face.
“Defensive strategies can be dramatically improved by understanding how targeted malware attacks work as well as trends in the tools, tactics and procedures of the threat actors behind such attacks. By effectively using threat intelligence derived from external and internal sources combined with security tools that empower human analysts, organisations are better positioned to detect and mitigate such targeted attacks,” Trend Micro said.