Team Kaspersky Lab announced the detection of groups Poseidon – advanced cybercriminal groups active in the field of global operations cyberszpiegowskich since at least 2005.
grouping Poseidon distinguished by the fact that it is a commercial entity, whose attacks use customized malware digitally signed using fake certificates installed in order to steal confidential data of the victims to force them to business relationships. Cybercriminal control centers have been identified even in the infrastructure suppliers of satellite internet services for ships in the sea.
identified at least 35 companies that have been victims of this campaign, and among the main targets were financial institutions and government, telecommunications companies, manufacturing, energy, utilities and facilities management organizations, industry and the media PR. Kaspersky Lab experts detected the attacks on service companies that direct their offer to the directors at the highest level. Victims of this group are located in the USA, France, Kazakhstan, the United Arab Emirates, India and Russia. However, the distribution of the victims dominated by Brazil, where many of them have joint ventures or partnerships.
One of the characteristics of groups Poseidon is the active use of corporate networks based on the domain. According to the analysis, Kaspersky Lab, cyber criminals use phishing emails containing RTF / DOC, usually baited referring to human resources. When you run the attachment in the system it is installed a malicious program. Another key finding is the presence of Portuguese-Brazilian text version. Preferring Portuguese systems discussed by the group, as shown by sample, something that experts met for the first time.
Once a computer is infected malware reports to the server control, would then begin the complex phase of operation. In this phase is often used specialized tool that automatically and aggressively collects a wide range of information, including credentials, group policy management, and even system logs in order to improve further attacks and ensure the start of malicious software. In doing so, the cybercriminals know what applications and commands can be used without arousing suspicion network administrator during the operation of malicious software and data output.
The collected information is then used by the company to serve as a cover to urge the victims of the attack to engage groups of Poseidon as a consultant on security matters under the threat of the use of the stolen data in a series of suspicious business transactions that will benefit the attacker.
“grouping Poseidon is a gang working for many years on land, in the air and at sea. Some of its control centers have been identified in the infrastructure of Internet service providers for ships operating at sea. We found the actions of this group of suppliers wireless and traditional Internet connections, “- said Dmitry Bestuzhev, director of the Global Team. Research and Analysis (GReAT) into Latin America, Kaspersky Lab. “Grouping could remain undetected for a long time, among others, due to the fact that the malware used a very short period of life. ”
As the Poseidon group is active for at least ten years, the techniques used to design the implants evolved, making it difficult for many researchers to link all the pieces of the puzzle together. However, carefully collecting all the evidence, analyzing the operation of the cybercriminal groups and recreating the timeline attack, experts from Kaspersky Lab established in mid-2015. It detected earlier, but unidentified footprints belonged in fact to the same cybercriminal gang – groups Poseidon.
No comments:
Post a Comment