G20 Summit Becomes Bait For Cyberespionage Attacks
With the G-20 Summit a little more than a week away, cyberattackers are using the conference as a theme as they target government and financial institutions.
According to Rapid7, multiple groups — potentially originating in China — are responsible for the attacks, including a prominent group known as the Calc Team or APT-12 that has been tied to an attack on The New York Times.
“Within the security community there’s the firm belief that the Calc Team is an espionage group operating from China, which originally stood out due to the use of a peculiar algorithm used to calculate the connection details to their Command Control servers (CC) out of an initial DNS request,” blogs Rapid7 security researcher Claudio Guarnieri. “[This] group has been tracked by researchers for years and is believed to be responsible of numerous attacks against government agencies, financial institutions and defense contractors.”
The recent attacks all use the upcoming G20 conference — scheduled for Sept. 5 and 6 in St. Petersburg, Russia — as a theme for the bait. The first of the ongoing G20-themed attacks tied to the group was detected in May, and featured a PDF document outlining a development agenda for the Russian presidency, as well as a second document entitled “Global Partnership for Financial Inclusion Work Plan 2013.”
“Both are clearly Windows executable files that try to disguise as PDF documents,” the researcher notes. “As commonly happen, no exploit has been used here and the attacker uniquely relied on social engineering the targets to open and execute the files contained in the archive. Upon execution, both these files extract an actual embedded PDF to the %Temp% folder and display them to the victim, in order to not raise suspicion.”
Earlier this month, two more attacks tied to the group using other G20-themed booby-trapped documents were detected, as well. Once the malware is on the system, it is then used to download additional malware and log the keystrokes of users. In order to intercept keystrokes, the malware constantly loops through an embedded list of keys and checks the state for each key with GetKeyState Windows API. Currently, the command-and-control used by the attackers remains active.
“Assuming that the chain of attribution to Calc is correct, it’s interesting to observe that despite major international exposure after The New York Times incident, the intrusion group/s behind these attacks is still operational and doesn’t seem to have been affected by the sudden attention received by newspapers and researchers,” Guarnieri blogs.
“Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but it’s remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect,” he adds. “As also pointed out by FireEye, the creators of the malware seem to be actively changing things around in order to avoid detection by network defense layers, which combined with the lack of exploitation involved, it leaves a large responsibility on the targeted user to be able to recognize the social engineering attempt and isolate the attack.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.