A series of hacking attacks hit 1,465 computers in 61 countries targeting space-related government agencies, diplomatic missions, research institutions and companies located mostly in Russia but also Vietnam and Commonwealth of Independent States countries.
The attacks are not particularly unusual compared to other stealthy, long-range hacking campaigns, said Rik Ferguson, Trend Micro’s director of security research and communication for Europe. Targeted emails went out to employees meant to strike unpatched software and steal spreadsheets, Word documents and other information. Trend Micro named this attack “Lurid.”
Those pilfered documents would then upload to Web sites hosted on command-and-control servers in the U.S and the U.K., Ferguson said. The location of the servers in these attacks shows hackers can choose servers anywhere in the world to collect stolen information, which is not an indication of where the hackers may be, he said.
China has endured frequent accusations it is complicit in hacking since many high-profile attacks have originated from infrastructure within the country. But Ferguson said there are many tools ranging from VPNs (Virtual Private Networks) to email spoofing techniques that can mislead hacking investigations.
Trend Micro classified the Lurid attacks as an “advanced persistent threat (APT).” Lurid has been active since at least August 2010.
Lurid uses a downloader program known as “Enfal” to steal documents. The downloader has been around since at least 2006, although Ferguson didn’t think it sold on underground criminal forums.
The emails sent to victims contained an attached file that looked for vulnerabilities in software on the computer. This particular series of attacks often exploited a vulnerability in Adobe Reader that dates back to 2009, Ferguson said. If the companies or organizations have not patched their software, they may be vulnerable.
Trend found the hackers also assigned a special code to individual pieces of malware in order to identity their victims. Although the Lurid attacks touched on many organizations, most of the attacks targeted just three.
Ferguson said Trend identified 301 different campaign codes, with 115 campaigns focused on just one victim and 64 others hitting just two more organizations.
The information gleaned from compromised computers went out encrypted to the command-and-control servers via HTTP POST requests. Since the stolen information was encrypted and appeared to be normal Web traffic, it can be difficult for organizations to detect they suffered a compromise, he said.