The latest tactics cyberszpiegowskie: complexity and modularity vs. functionality

Attacks by the Group cyberprzestępcze sponsored by Governments are becoming more sophisticated, hit in the carefully selected targets, use complex, modular tools and can effectively avoid detection. Kaspersky Lab experts looked at the new tactics used by the most advanced cyber criminals.

New trends have been confirmed during the detailed analysis of the cyberszpiegowskiej platform EquationDrug, used in the recently disclosed operation Equation. Kaspersky Lab specialists have determined that to more and bigger successes in the obnażaniu groups using advanced long-lasting attacks (APT) the most advanced actors on the stage of the threats now are seeking to add to their harmful platform components that enhance the functionality and at the same time make it difficult to detect the dangerous activity.

The latest platform cyberprzestępcze contain multiple modules and plug-ins that allow them to perform a number of different functions, depending on the purpose and the information in its possession. Kaspersky Lab estimates that EquationDrug has 116 such plug-ins.

"The grouping sponsored by Governments seek to build a more stable, invisible, reliable, and versatile tools cyberszpiegowskich. Focus on creating platforms for ' Multipack ' this code into something that can be adapted to individual needs in living systems and provide a reliable way to store all of the components and the data in the form of encrypted, is not available for general users, "explains Costin Raiu, Manager of the Global team. Research and analysis (GReAT), Kaspersky Lab. "the sophistication of these structures makes this type of attack differs from traditional cyber criminals, who focus on malicious features and to obtain direct financial gain".

Other distinguishing characteristics of the tactics of cyber criminals, Governments sponsored from traditional malicious users include:

  • Scale. The traditional cyber criminals are spreading mass emails containing malicious attachments or infect the websites on a large scale, while the grouping of cyberprzestępcze sponsored by Governments prefer highly targeted attacks carried out with surgical precision, resulting in infekowana is only a handful of selected users.
  • Individual approach. As far as traditional cyber criminals usually use again publicly available source code, such as for example. the code of the infamous ZeuS Trojan or Carberp, grouping sponsored by Governments form a unique, customized malware, and even implement restrictions that prevent decryption and run outside the target the computer.
  • Extraction of valuable information. Cyber criminals usually try to infect as many users. However, they lack the time and storage space, so that they can manually check all infect each other machines and analyze who is the beneficial owner, what data are stored and what software is running-and then upload and store all potentially interesting data. As a result, the type of ranged form a comprehensive, malicious programs that extract of the victims only the most valuable information, such as passwords and credit card numbers. This is an activity that can lead to their rapid identification by security software. On the other hand grouping of cyberprzestępcze sponsored by Governments have the resources enabling them to store data without restriction. Not to download the attention of software security and remain invisible to him, try to avoid infecting casual users-instead, use remote systems management tools that can copy any the information you need in any quantities. It may, however, turn against him, because moving huge amounts of data can slow down the network connection and arouse suspicion.

"It may seem remarkable that so enhanced cyberszpiegowska platform as EquationDrug does not offer all the thefts as a standard in your code. This is due to the fact that cyber criminals prefer to customize an attack to each individual victim. If they want to actively monitor user, and safety products for the machine were 'rozbrojone ', the user will get a plug for live tracking his conversation or other features related to its activity. We believe that the modularity and personalization will become in the future a unique hallmark of cyber criminals, Governments sponsored "– summarizes Costin Raiu.

EquationDrug is the main platform for spying by Equation Group. It was used for more than a decade, however, is to a large extent replaced by the even more sophisticated platform GrayFish. The tactical trends confirmed in the analysis of the EquationDrug were first observed by Kaspersky Lab experts during studies on the campaign cyberszpiegowskich The Mask/Careto and Regin.

Kaspersky Lab products detected and blocked a series of attacks the Group Equation-many of them were captured by the technology automatically avoid exploitom that is designed to block the use of unknown bugs in operating systems and applications.

The latest study on the EquationDrug platform is available in English on conducted by Kaspersky Lab:

Source: Kaspersky Lab

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.