10 December 2014
A range of politicians and diplomats have been targeted by stealthy hackers, who have been trying to thrust malware onto dignitaries’ iPhone and Android devices as well as PCs with varying degrees of success since this summer, according to security researchers.
The “excessively paranoid” attackers covered their tracks remarkably well, leaving onlookers at a loss as to their identities, according to a report from security firm Blue Coat. But they did leave some clues: a number of hacked routers used to traffic their stolen data and a range of emails containing malicious links to their exploits. Most targets were based in Russia, though Snorre Fagerland, security researcher at Blue Coat, noted some infections were also found in Romania, Venezuela, and Mozambique. Kaspersky Lab, which has dubbed the attacks ‘Cloud Atlas’ rather than ‘Inception’ as Blue Coat labelled them, said today Kazakstan was home to the second-highest number of victims. Targets were also based in India, Belarus and the Czech Republic.
One target TGT +0.64% based at the government of Paraguay, thought to be associated with UN matters, was sent a phishing email in Spanish that contained download links for “WhatsApp updates” for four different mobile platforms, though Fagerland and his team only found three, one for Android, one iOS and one BlackBerry.
Researchers discovered, after picking up on the initial attacks in August 2014, the hackers were also sending multimedia phishing messages to mobile devices of targeted individuals hoping they would download their malicious kit. The networks of more than 60 mobile providers, including China Mobile , O2, Orange, SingTel , T-Mobile and Vodafone , were used to send those messages, according to Blue Coat.
“The various mobile malware we have found are all data stealers, some functionality of which not all has been fully analyzed yet. We know that they can and do collect a lot of information about the device and the user, and we know that at least the Android malware will record phone calls as MP4 files which will be uploaded to attackers,” Fagerland told Forbes.
He didn’t have exact figures on victims, as the Blue Coat research was based on gaining access to one of the popped routers used by the hackers. Fagerland estimated there are just above 100 live compromised machines connecting to the Inception team, making this as targeted as the Regin malware made public last month and declared the work of the NSA and GCHQ.
Though diplomats were the main targets, some victims worked in the oil and finance industries. Kaspersky also believes the Inception attackers are the same as those who perpetrated a previous campaign, Red October, which was also considered to be technically astounding. In one case, a diplomatic organisation was targeted only twice by digital attacks in two years, first by the Red October crew then by Inception.
Researchers have been impressed by the high-quality of operation security exercised by the Inception hackers. They hid their identities through constantly updating files, their paths and callback directories, whilst shifting their traffic through a large number of proxies, many of which were hacked routers. They also used infrastructure at cloud provider CloudMe to host their data.
Only guesses can be made as to their origin. Blue Coat suggested the attackers “could be a medium-sized nation state, or possibly a resourceful and professional private entity”. There are some suggestions of Chinese origin, though it’s impossible to do adequate attribution. In Blue Coat’s analysis, it found a variants of a malware component that was similar to those used by Chinese hackers in the past. One executable was a “classical” Chinese implant – a downloader for further malware.
But Kaspersky Lab noted Chinese-speaking attackers normally relocate their operations once they’ve been exposed. In the case of Inception, or Red October, they disappeared before coming out of hibernation this summer.
Source – http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/