A small cyber espionage group has been exposed when it retaliated against an attack launched by another advanced persistent threat (APT) group.
Researchers at Kaspersky Lab were investigating Naikon, one of the most active threat groups in Asia, when they came across the activities of a different actor which they have dubbed “Hellsing.”
Just days after the Malaysia Airlines Flight 370 (MH370) disappeared last year, Naikon started targeting various government organizations in countries that had been involved in the search for the missing airplane. The attackers used spear-phishing emails containing documents designed to exploit Microsoft Word vulnerabilities in order to deliver a backdoor.
Hellsing has been active since at least 2012, has mainly targeted Government organisations in Malaysia, Indonesia and the Philippines. Some targets have also been identified in the United States and India. It has been using spear-phishing emails to deliver malware to victims’ computers. Based on command and control (C&C) server information gathered by Kaspersky, it’s possible that some of the victims are the Malaysian Ministry of Tourism and Culture, the Malaysian Maritime Enforcement Agency, and the Malaysian National Sports Council.
Costin Raiu, director of Kaspersky’s global research and analysis, said: “In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack.”