Anytime I talk about cyber-espionage, the first reaction most people have is that China must be behind the effort. The reality is that most countries have cyber-espionage capabilities and they use it to further their own interests.
My eyes widened and my ear perked up when I read a research paper by FireEye about a possible cyber-espionage campaign against Russian industry by Korea. I say Korea because FireEye hasn’t clarified whether the source is North or South Korea. It seems most companies being targeted as in space research, IT, education and telecommunication.
A FireEye researcher has said
“Though we don’t have full concrete evidence, we have identified many indicators leading to Korea as a possible origin of attack." - Ali Islam
The evidence thus far shows that:
- the SMTP mail server is in Korea
- the Command and Control servers are in Korea
- The fonts used are “Batang” and “KP CheongPong” , which are Korean
Based on the evidence, this seems to be a well organized and sophisticated attack. Ali Islam added
"Once you have that information, you have access to employees' emails even from outside, and that means a lot of official information," Islam says. "It also steals other accounts credentials, all user passwords stored by Firefox for auto login."
In true internet style, the infection is carried by a phishing attack claiming to be a meeting of the “Association of Southeast Asian Nations” and exploits a Word vulnerability to steal its data.
You can see a sample of the document (in Cyrillic) below
Click on any images in this post for a larger full size view
All of the collected data is sent to a public message board where it can be seen by anyone without authentication. This means any data that is stollen can be retrieved by anyone.