Chinese cyber-security vendor Qihoo 360 published a report on Friday exposing an extensive hacking operation targeting the country of Kazakhstan.
Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike.
The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.
Signs point that some attacks relied on sending targets carefully crafted emails carrying malicious attachments (spear-phishing), while others relied on getting physical access to devices, suggesting the use of on-the-ground operatives deployed in Kazakhstan.
Meet Golden Falcon
Qihoo researchers named the group behind this extensive campaign Golden Falcon (or APT-C-34). The Chinese security vendor claimed the group was new, but when ZDNet reached out to Kaspersky, we were told Golden Falcon appears to be another name for DustSquad, a cyber-espionage entity that has been active since 2017.
The only report detailing its previous hacking operations dates back to 2018 when it was seen using spear-phishing emails that lead users to a malware-laced version of Telegram.
Just like the attacks documented by Qihoo this week, the 2018 attacks also focused on Kazakhstan but had used a different malware strain.
Qihoo’s new report is primarily based on data the Chinese company obtained after it gained access to one of Golden Falcon’s command and control (C&C) server, from where they retrieved operational data about the group’s activities.
Here, the Chinese firm said it found data retrieved from infected victims. Collected data involved primarily office documents, taken from hacked computers.
All the stolen information was arranged in per-city folders, with each city folder containing data on each infected host. Researchers said they found data from victims located in Kazakhstan 13 largest cities, and more.
The data was encrypted, but researchers said they were able to decrypt it. Inside, they also found evidence that Golden Falcon was also spying on foreign nationals in the country — with Qihoo naming Chinese international students and Chinese diplomats as targets.
Expensive hacking tools
Files on the C&C server revealed what types of hacking tools this group was using. Two tools stood out. The first was a version of RCS (Remote Control System), a surveillance kit sold by Italian vendor HackingTeam. The second was a backdoor trojan named Harpoon (Garpun in the Russian language) that appears to have been developed by the group itself.
In regards to its use of RCS, what stood out was that Golden Falcon was using a new version of RCS. The RCS version number is important because, in 2015, a hacker breached and then leaked all the HackingTeam’s internal files, including the source code for RCS.
At the time, the RCS version number was 9.6. According to Qihoo, the version number for the RCS instances they found in Golden Falcon’s possession was 10.3, a newer version, meaning the group most likely bought a newer version from its distributor.
But Golden Falcon was also in the possession of another potent tool. Qihoo says the group was using a unique backdoor that hasn’t been seen outside the group’s operations and was most likely their own creation.
The Chinese vendor said it obtained a copy of this tool’s manual. It is unclear if they found the manual on the group’s C&C server, or if they obtained it from another source. The manual, however, shows a well-developed tool with a large feature-set, on par with many of today’s top existing backdoor trojans.
- Steal clipboard data
- Take screenshot of the active window at predetermined intervals
- List the contents of a given directory
- Get Skype login name, contact list, and chat message history
- Get Skype and Google Hangouts contacts and voice recordings
- Record sound via the microphone, eavesdropping
- Copy a specified file from the target computer
- Automatically copy files from removable media
- Store all intercepted data in an encrypted data file, inside a specified directory
- Send stolen data to a specified FTP server
- Run a program or operating system command
- Download files from a given FTP into a specific directory
- Remotely reconfigure and update components
- Receive data files from a given FTP and automatically extract the files to a specified directory
Most of the features listed above are the norm for most high-level backdoor trojans, usually encountered in nation-state level cyber-espionage.
But Qihoo researchers also found additional files, such as contracts, supposedly signed by the group.
It is important to point out that cyber-espionage groups don’t leave contracts sitting around on C&C servers. It is unclear if these contracts were found on Golden Falcon’s C&C server, or were retrieved from other sources. Qihoo didn’t say.
One of these contracts appears to be for the procurement of a mobile surveillance toolkit known as Pegasus. This is a powerful mobile hacking tool, with Android and iOS versions, sold by NSO Group.
The contract suggests that Golden Eagle had, at least, shown interest in acquiring NSO’s Android and iOS surveillance tools. It is unclear if the contract was ever completed with a sale, as Qihoo didn’t find any evidence of NSO’s Pegasus beyond the contract.
Either way, Golden Eagle did have mobile hacking capabilities. This capability was provided via Android malware supplied by the HackingTeam.
Qihoo said the malware they analyzed included 17 modules with features ranging from audio eavesdropping to browser history tracking, and from stealing IM chat logs to tracking a victim’s geo-location.
Radio interception hardware
A second set of contracts showed that Golden Falcon had also acquired equipment from Yurion, a Moscow-based defense contractor that’s specialized in radio monitoring, eavesdropping, and other communications equipment.
Again, Qihoo only shared details about the contract’s existence, but could not say if the equipment was bought or used — as such capabilities go beyond the tools at the disposal of a regular security software company.
Tracking down members?
The Chinese cyber-security firm also said it tracked down several Golden Falcon members through details left in legal digital signatures, supposedly found inside the contracts they discovered.
Researchers said they tracked four Golden Falcon members and one organization.
Using data that was left uncensored in a screenshot shared by Qihoo, we were able to track one of the group’s members to a LinkedIn profile belonging to a Moscow area-based programmer that the Chinese firm described as “a technical engineer” for Golden Falcon.
No official attribution — but plenty of theories
Neither Qihoo nor Kaspersky, in its 2018 report, make any formal attribution for this group. The only detail the two shared was that this was a Russian-speaking APT (advanced persistent threat — a technical term used to describe advanced, nation-state backed hacking units).
During research for this article, ZDNet asked a few analysts for their opinions. The most common theories we heard were that this “looks” to be (1) a Russian APT, (2) a Kazakh intelligence agency spying on its citizens, (3) a Russian mercenary group doing on-demand spying for the Kazakh government — with the last two being the most common answer.
However, it should be noted that these arguments are subjective and not based on any actual substantial proof.
The use of HackingTeam surveillance software, and the inquiry into buying NSO Group mobile hacking capabilities does show that this could be, indeed, an authorized law enforcement agency. However, Qihoo also pointed out that some of the targets/victims of this hacking campaign were also Chinese government officials in north-west China — meaning that if this was a Kazakh law enforcement agency, then they seriously overstepped their jurisdiction.
The Qihoo Golden Falcon report is available here, in Chinese, and here, translated with Google Translate. The report contains additional technical information about the malware used in these attacks, information that we didn’t include in our coverage because it was too technical.
The Five Pillars of (Azure) Cloud-based Application Security
This 1-hour webinar from GigaOm brings together experts in Azure cloud application migration and security, featuring GigaOm analyst Jon Collins and special guests from Fortinet, Director of Product Marketing for Public Cloud, Daniel Schrader, and Global Director of Public Cloud Architecture and Engineering, Aidan Walden.
These interesting times have accelerated the drive towards digital transformation, application rationalization, and migration to cloud-based architectures. Enterprise organizations are looking to increase efficiency, but without impacting performance or increasing risk, either from infrastructure resilience or end-user behaviors.
Success requires a combination of best practice and appropriate use of technology, depending on where the organization is on its cloud journey. Elements such as zero-trust access and security-driven networking need to be deployed in parallel with security-first operations, breach prevention and response.
If you are looking to migrate applications to the cloud and want to be sure your approach maximizes delivery whilst minimizing risk, this webinar is for you.
Data Management and Secure Data Storage for the Enterprise
This free 1-hour webinar from GigaOm Research brings together experts in data management and security, featuring GigaOm Analyst Enrico Signoretti and special guest from RackTop Systems, Jonathan Halstuch. The discussion will focus on data storage and how to protect data against cyberattacks.
Most of the recent news coverage and analysis of cyberattacks focus on hackers getting access and control of critical systems. Yet rarely is it mentioned that the most valuable asset for the organizations under attack is the data contained in these systems.
In this webinar, you will learn about the risks and costs of a poor data security management approach, and how to improve your data storage to prevent and mitigate the consequences of a compromised infrastructure.
CISO Podcast: Talking Anti-Phishing Solutions
Simon Gibson earlier this year published the report, “GigaOm Radar for Phishing Prevention and Detection,” which assessed more than a dozen security solutions focused on detecting and mitigating email-borne threats and vulnerabilities. As Gibson noted in his report, email remains a prime vector for attack, reflecting the strategic role it plays in corporate communications.
Earlier this week, Gibson’s report was a featured topic of discussions on David Spark’s popular CISO Security Vendor Relationship Podcast. In it, Spark interviewed a pair of chief information security officers—Mike Johnson, CISO for SalesForce, and James Dolph, CISO for Guidewire Software—to get their take on the role of anti-phishing solutions.
“I want to first give GigaOm some credit here for really pointing out the need to decide what to do with detections,” Johnson said when asked for his thoughts about selecting an anti-phishing tool. “I think a lot of companies charge into a solution for anti-phishing without thinking about what they are going to do when the thing triggers.”
As Johnson noted, the needs and vulnerabilities of a large organization aligned on Microsoft 365 are very different from those of a smaller outfit working with GSuite. A malicious Excel macro-laden file, for example, poses a credible threat to a Microsoft shop and therefore argues for a detonation solution to detect and neutralize malicious payloads before they can spread and morph. On the other hand, a smaller company is more exposed to business email compromise (BEC) attacks, since spending authority is often spread among many employees in these businesses.
Gibson’s radar report describes both in-line and out-of-band solutions, but Johnson said cloud-aligned infrastructures argue against traditional in-line schemes.
“If you put an in-line solution in front of [Microsoft] 365 or in front of GSuite, you are likely decreasing your reliability, because you’ve now introduced this single point of failure. Google and Microsoft have this massive amount of reliability that is built in,” Johnson said.
So how should IT decision makers go about selecting an anti-phishing solution? Dolph answered that question with a series of questions of his own:
“Does it nail the basics? Does it fit with the technologies we have in place? And then secondarily, is it reliable, is it tunable, is it manageable?” he asked. “Because it can add a lot overhead, especially if you have a small team if these tools are really disruptive to the email flow.”
Dolph concluded by noting that it’s important for solutions to provide insight that can help organizations target their protections, as well as support both training and awareness around threats. Finally, he urged organizations to consider how they can measure the effectiveness of solutions.
“I may look at other solutions in the future and how do I compare those solutions to the benchmark of what we have in place?”
Listen to the Podcast: CISO Podcast
SpaceX wants to put Starlink satellite dishes on large vehicles
SpaceX’s somewhat controversial Starlink satellite constellation aims to bring high-speed Internet to places that traditional cables and radio waves don’t...
Gab, a haven for pro-Trump conspiracy theories, has been hacked again
Beleaguered social networking site Gab was breached on Monday, marking the second time in as many weeks that hackers have...
Apple releases iOS 14.4.1 and macOS 11.2.3 – You should install them ASAP
Apple has released iOS 14.4.1, iPadOS 14.4.1, and macOS 11.2.3 today, an unexpected software drop for iPhone, iPad, and Macs...
Microsoft Exchange mass-hack flaw known since January, around for years
As if last year’s SolarWinds hack, which also affected Microsoft, wasn’t bad enough, this year seems to be starting out...
Harman Kardon Invoke will become a Bluetooth speaker only by July
Microsoft has been slowly removing Cortana from devices and platforms but this latest bit of news might be the most...
Social1 year ago
CrashPlan for Small Business Review
Gadgets2 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile2 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social2 years ago
iPhone XS priciest yet in South Korea
Cars2 years ago
What’s the best cloud storage for you?
Security2 years ago
Google latest cloud to be Australian government certified
Social2 years ago
Apple’s new iPad Pro aims to keep enterprise momentum
Cars2 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise