NetTraveler – new cyber-espionage network

Posted: June 4, 2013 in IT Security News
Tags: , , , ,

Kaspersky Lab“Kaspersky Lab” has announced disclosure a new cyber-espionage network, dubbed NetTraveler and which affected more than 350 computer systems in 40 countries.

Were attacked public and private entities, including government agencies, embassies, research centers, military organizations, oil and gas companies, as well as political activists.

According to investigations conducted by experts of “Kaspersky Lab” espionage campaign launched back in 2004, but its peak occurred in the period from 2010 to 2013. Recently, in the sphere of interest of the attackers included industries such as space exploration, nanotechnology, energy, including nuclear, medicine, and telecommunications.

Infecting computers of victims occurred with phishing emails with malicious attachments that exploit vulnerabilities in Microsoft Office (CVE-0158 and 2,012-CVE-2010-3333). Despite the fact that Microsoft has released a patch update for the closure of these vulnerabilities, they are still widely used and are often used for targeted attacks. The names of investments demonstrate the nature of the operation target: hackers have adapted the name of the document each time when sending it to another organization in such a way as to induce the recipient to open the file.

The investigation experts “Kaspersky Lab” received access logs with a command-and-control servers NetTraveler, through which the installation of additional malware onto infected machine and loaded the stolen data. According to experts, “Kaspersky Lab”, the amount of stolen data on all servers NetTraveler is over 22 GB. Among them, the most common lists of system files, record keystrokes and various document types: PDF, Excel, Word. In addition, among the instruments NetTraveler was discovered backdoor capable of stealing and other types of confidential information, including descriptions of application configuration files and computer aided design.

The victims were found NetTraveler operations in 40 countries, including Russia, the U.S., Canada, Britain, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Japan, China (and its autonomous territory of Hong Kong), Mongolia, Iran, Turkey, India, Pakistan, South Korea, Thailand, Qatar, Kazakhstan, Jordan and others.

When comparing the data obtained with the command-and-control servers NetTraveler and from the cloud network Kaspersky Security Network (KSN), the experts identified the top ten most affected countries. In descending order of ranking is as follows: Mongolia, Russia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, South Korea, Spain and Germany.

In addition, the analysts found that six victims operation NetTraveler previously hit by another cyber-espionage campaign “Red October”, of which “Kaspersky Lab” reported in January 2013. Although direct links between the organizers NetTraveler and “Red October” was not found, the fact that the same people are targeted kibershpionov indicates that they have information of particular value to attackers.

The time interval between the disclosure of a cyber-espionage network each time getting smaller. Moreover, a detailed study, we see that different campaign eventually intersect either have similar tools attacks, or choose the same sacrifices, as in the case of NetTraveler and “Red October”. All these facts indicate that cyber espionage is becoming more “mass” and will continue to only gain momentum.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s