April 29, 2015

Philippine agencies among victims of global cyberespionage groups

Vicente Diaz
Cyberattacks in Asian countries ‘obviously’ government-sponsored

The Philippine government is among the nations that have been hit by two recently discovered cyberespionage groups that target the Asian region, according to Kaspersky Lab.

Kaspersky Lab experts said that the Philippines, along with countries in Southeast Asia, South Asia and the United States have been infected by two cyberespionage groups called Naikon and Hellsing.

Security researchers of Kaspersky Lab first discovered Naikon, a group that targets government agencies in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.

Naikon’s targets were extremely wide-ranging but includes institutions in the Philippines like:

  • Office of the President
  • Armed Forces
  • Office of the Cabinet Secretary
  • National Security Council(s)
  • Office of the Solicitor General
  • National Intelligence Coordinating Agency
  • Civil Aviation Authority
  • Department of Justice
  • National Police
  • Presidential Management Staff

Hellsing, meanwhile, is a group currently active in the Asia Pacific region hitting government networks mainly in the South China Sea area, with a focus on the Philippines, Malaysia and Indonesia. This cyberespionage group also targets diplomatic agencies in the United States.

Hellsing List of PH victims

Hellsing’s infected email attachments related to the Philippines found by Kaspersky Lab experts had the following file names:

  • Letter from Paquito Ochoa to Albert Del Rosario,the Current Secretary of Foreign Affairs of the Philippines.7z
  • PAF-ACES Fellowship Program.scr
  • Update SND Meeting with the President re Hasahasa Shoal Incident.scr
  • Washington DC Directory November 2012-EMBASSY OF THE PHILIPPINES.zip

Vicente Diaz, Principal Security Researcher of Kaspersky Lab’s Global Research and Analysis Team (GReAT), said that they discovered Hellsing during their research into the activity of Naikon.

Security experts, including Diaz, noticed that one of Naikon’s targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment.

The target, which was Hellsing, questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter Hellsing forwarded to Naikon an email containing its own malware.

“Hellsing sent an email reply with a malicious attachment and tried to infect Naikon, the initial attacker. This is an APT (Advanced Persistent Threat) on an APT and this is the first time we are seeing this. We were processing this information last week and this is quite a unique campaign that we call ‘Empire Strikes Back’,” Diaz said recently during his presentation to the local media.

Kaspersky Lab security researchers consider this a new and rare cybercriminal trend where an attacker strikes back to the initial attacker.

Diaz said they do not know the people behind the two cyberespionage groups, but said that these cybercriminals are after important and confidential data from a country or an organization.

“Basically, these campaigns create a special malware for spying in getting your data, stealing your secrets. Who do you think could be behind such campaigns? Just some regular hacker? Not really,” said Diaz.

“They are not interested in making money,” the security analyst said.

According to Diaz, threat actors like Hellsing and Naikon create global malwares designed to steal corporate and government data. These cyberespionage groups also infect selected individuals and selected institutions that have the data they wanted to steal.

According to STIX, a threat actor is an individual or group involved in malicious cyber activity.

“These threat actors create malwares not designed to get your bank accounts. It is designed not only to steal corporate data but also data from government institutions, from research, and the military,” he said.

“This malware is not attacking everyone. It is attacking a few people, a few institutions. They don’t want to be discovered. They want to use these malwares for years and get all the data they want from their victims,” he warned.

Aside from diplomatic and government institutions, Diaz said that they have observed some countries that have malwares targeting activists and journalists as well.

Philippines ranks 47 among most infected countries
Diaz, a Spanish security analyst from Barcelona, also noted that almost half or 44.1% of Kaspersky users in the Philippines have been infected by viruses this year. This placed the Philippines 47th among 176 countries surveyed.

Kaspersky Lab’s data also revealed that the Philippines hosted a total of 6,043 incidents during the first quarter of 2015. This put the Philippines at the 78th place worldwide.

“When we talk about hosted malware, we have around 6,000 incidents in the Philippines for 2015. What is hosted malware? It means that some websites are infected and these websites are here in the Philippines. The servers are physically here,” Diaz explained.

Web malware, on the other hand, was able to infect a total of 19.6% users in the Philippines. This percentage put the country at 83rd place worldwide.

On the other hand, Jimmy Fong, Channel Sales Director of Kaspersky Lab Southeast Asia, noted the economic growth of the Philippines and its possible implications to the future of cyberthreat landscape of the country.

“As you see, Philippines is becoming richer and I see the value in the Philippines as well. The Philippines is calmer and the financial institutions are not aware of this kind of cyberthreats but someday, they will be for sure. This is why we’re starting to promote awareness about threats that may come to the Philippines in the future. Or maybe it’s already here but nobody knows,” he said.

Fong also said that Kaspersky Lab, as the leading provider of security solutions in the B2C market in Southeast Asia, is focusing more on the B2B sector amid recent cyberattacks against financial institutions. Recent reports showed the cybercriminal group called Carbanak stole almost $1 billion from 100 banks around the world.

“I think these kind of incidents actually happen everywhere in the world as long as there is money. So I don’t think that this may not happen in this area. It can happen everywhere. It happened in Moscow, it may happen in Southeast Asia and it may happen in the Philippines as well,” Fong said.

Back to top


Post a Comment

Newer Post Older Post Home