Global cloud security leader Trend Micro, producer of threat management solutions for businesses and consumers, recently released a report linking China-based hackers to an advanced persistent threat (APT) the security industry is calling the Luckycat campaign.
The Luckycat campaign has been active since at least June 2011. First documented by another antivirus company this year, the Trend Micro report showed a more detailed picture of the workings of Luckycat. It is a sophisticated cyber-espionage campaign that attacked a diverse set of more than 90 targets. The attackers used a variety of methods, some of which have been linked to other cyber-espionage campaigns and even tagged their attacks with campaign codes to measure success. Not only did the Luckycat perpetrators target military research in India as reported, they expanded the attacks to hit other sensitive entities in Japan, as well as India, including heavily targeted Tibetan activists.
Through careful monitoring, Trend Micro capitalized on some mistakes made by the attackers, and gave a glimpse of their identities and capabilities. Malware identified with the other APTs like ShadowNet, Duojeen, Sparksrv, and Comfoo campaigns were used or found hosted on the same dedicated server used by the LuckyCat campaign.
The attackers behind the Lucky Cat campaign maintain a variety of command-and-control infrastructures and leverage anonymity tools to obfuscate their operations. The perpetrators target the following industries and communities: aerospace, energy, engineering, shipping, military research, Tibetan activists.
“Individual targeted attacks are not one-off attempts. Attackers continually try to get inside the target’s networks. They are truly persistent in that sense. We in the industry are calling them advanced persistent threats or APTs because of their level of sophistication and how they are seemingly unrelenting in their focus,” said Myla Pilao, director for Core Technology Marketing, Trend Micro.
APTs as Espionage
Luckycat is an APTs. APTs refer to a category of threats that aggressively pursue and compromise specific targets to maintain persistent presence within the victim’s network so they can move laterally and exfiltrate data. Unlike indiscriminate cybercrime attacks, spam, web threats, and the like, APTs are much harder to detect because of the targeted nature of related components and techniques. Also, while cybercrime focuses on stealing credit card and banking information to gain profit, APTs are better thought of as cyber espionage.
Malware identified with the other APTs like ShadowNet, Duojeen, Sparksrv, and Comfoo campaigns were used or found hosted on the same dedicated server used by the LuckyCat campaign.
“Although APTs appear to be daunting and scary, technologies like Trend Micro Deep Discovery provides visibility, insight and control over networks necessary to defend these against targeted threats,” Pilao added.