Blue Termite: organizations of Japan pushes for a sophisticated campaign cyberszpiegowskiej

Kaspersky Lab informs about the detection of the campaign cyberszpiegowskiej Blue Termite, aiming for at least two years were hundreds of organizations in Japan. Cybercriminals prey on the confidential information, using the niezałataną software vulnerability Flash Player and sophisticated malicious program that is adapted to each victim. This is the first known to Kaspersky Lab operation cyberszpiegowska, which is focused on in Japan, and is still active.


In October 2014, Kaspersky Lab researchers hit the previously unknown malware sample, which stood out from its complexity. Further analysis showed that this sample constitutes only a small element of a large and sophisticated campaign cyberszpiegowskiej-Blue Termite.


List of affected industries and institutions include: governmental organizations, heavy industry, financial industry, chemical, media, educational organizations, food industry, medical organizations and others. The results of the investigation indicate that the campaign is active for about two years.

Different techniques of infection

People behind the campaign Blue Termite use several techniques to infect their victims. Before July 2015, the party used mainly targeted phishing emails (so-called spear-phishing), or sending malware as an email attachment, which could draw the attention of the victim. However, in July, cyber criminals changed their tactics and began to spread malicious software by using a malicious program that uses niezałataną vulnerability in Flash Player (the same that earlier this year leaked in as a result of an incident related to the Organization of the Hacking Team).


The attackers have modified several Japanese websites, so that visiting them people automatically download malicious code and were infected. This technique is called attack drive-by-download. There was also a sample profiling victims. One of the modified pages belonged to a known member of the Japanese Government, the other contained malicious script that odfiltrowywał visitors from all IP addresses except for one belonging to a specific organisation. In other words, the function was provided only to selected users.

Unique malware for each victim and language tracks

After successful infection on the targeted machine is installed a sophisticated trojan that gives criminals control over the victim's computer, and can m.in. steal passwords, download and install further harmful programs and execute commands.


One of the most interesting aspects of the malware used by the group behind the campaign, Blue Termite is that each victim is delivered unique malware sample, designed in such a to be run only on the specified computer. According to researchers from Kaspersky Lab this was to impede the experts. safety analysis and detecting this pest.


Still do not know who is behind this attack. As usual in the case of sophisticated cyber-attacks, to identify the responsible person is a very complex task. However, Kaspersky Lab researchers have managed to collect a few traces of the language in the code – graphical interface cyberprzestępczego server control and several technical documents related to the malware used in the operation of the Blue Termite It is written in the Chinese language.


After the Assembly information confirming that the Blue Termite is the campaign cyberszpiegowską the tarmac in Japanese organizations, representatives of the Kaspersky Lab reported on its findings to local law enforcement authorities. Operation Blue Termite is still active, so Kaspersky Lab still leads the investigation in this case.

"Although the Blue Termite is not the only cyberszpiegowską campaign, which targets are located in Japan, this is the first known to Kaspersky Lab operation that focused strictly on the organizations of that country. Events related to the Blue Termite were publicized in Japan at the beginning of June 2015, when took place the official Japanese pension fund. Since then, Japanese organizations have started to implement measures of protection, however, cyber criminals have begun to use the new method of attacks and effectively extend its reach, "said Suguru Ishimaru, a researcher. IT security, Kaspersky Lab.

  • Kaspersky Lab products successfully detect and block malicious software used in the campaign cyberszpiegowskiej Blue Termite.
  • Technical details about the campaign cyberszpiegowskiej Blue Termite are available on SecureList.pl conducted by Kaspersky Lab: http://r.kaspersky.pl/blue_termite.
  • For more information about the advanced cyberzagrożeniach contains the Chronicle of targeted attacks conducted by Kaspersky Lab: https://apt.securelist.com/pl.
  • Kaspersky Lab has prepared also the film "Hunting the hunters" showing the process of sophisticated cyber attacks targeted: https://youtu.be/nRJEEB6GeVo.

Source: Kaspersky Lab



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.