Following on from yesterday’s United Airlines post, both Kaspersky and Symantec are reporting about a hacking group that is not interested in stealing credit cards. Instead, they are stealing corporate secrets for financial gain. Whether they are using them for insider trading or selling them to the highest bidder, the group, whom Kaspersky calls Wild Neutron, is very good at what they do.
The group has been around since at least 2011, but came into the spotlight in 2013 with attacks against Microsoft, Apple, Facebook and Twitter, using a watering hole attack. As the name suggests, a watering hole attack creates an attractive site which is infected with malware. When the water buffalo (employees) come to the watering hole (infected site), their computers are infected (animals die). This particular attack, they say, used a zero day Java vulnerability.
The group went dark for a little while after this attack was disclosed, but came back into the spotlight in 2014 with attacks on a wide range of industries: healthcare, legal, real estate, technology, investment firms and firms involved in mergers and acquisitions.
Symantec says that their investigation uncovered attacks on 49 companies in 20 countries. Kaspersky said this group is the one that stole the Acer digital certificate that was used in a related attack.
The group has been able to keep their shields up, so neither research group has a lot of information about them. They do say that they do not think they are state sponsored.
From the hacker’s viewpoint, this methodology can be very successful due to a number of reasons.
Unlike credit cards where their very first use is likely to raise alarm bells, if corporate trade secrets are stolen, likely no one will know. In addition, since companies are not required by law to disclose this type of theft, the victim companies are likely to stay silent to avoid being embarrassed.
If the victim companies do not disclose that valuable process, engineering, manufacturing or financial data has been compromised, they will also avoid shareholder and class action lawsuits – another reason these attacks stay in the shadows.
That is, of course, if the victim is even aware that they have been hacked. Many companies discover their credit card system has been hacked when they receive a call from Visa or a visit from the FBI. It is highly likely that this group is outside the U.S. and in a country unfriendly to us. If they were, for example, in Russia, and were somehow discovered by the authorities, it is more likely that they would ask for a cut than shut the group down. After all, what’s in it for them to shut down a group that is hacking U.S. companies.
For businesses, this is a much harder class of attack to stop because there are no external tell tale warning signs. Looking at the attack itself, the attack techniques and protection methods are no different than are used in credit card attacks.
For a business, this means that they are much less likely to know that they have been had.