Insights For Success

Strategy, Innovation, Leadership and Security

Korea is targeting Russia via espionage campaign called Sanny

InfoSecEdward KiledjianComment

Anytime I talk about cyber-espionage, the first reaction most people have is that China must be behind the effort. The reality is that most countries have cyber-espionage capabilities and they use it to further their own interests.

My eyes widened and my ear perked up when I read a research paper by FireEye about a possible cyber-espionage campaign against Russian industry by Korea. I say Korea because FireEye hasn’t clarified whether the source is North or South Korea. It seems most companies being targeted as in space research, IT, education and telecommunication.

A FireEye researcher has said

“Though we don’t have full concrete evidence, we have identified many indicators leading to Korea as a possible origin of attack." - Ali Islam

The evidence thus far shows that: 

  • the SMTP mail server is in Korea
  • the Command and Control servers are in Korea
  • The  fonts used are “Batang” and “KP CheongPong” , which are Korean

Based on the evidence, this seems to be a well organized and sophisticated attack.  Ali Islam added

"Once you have that information, you have access to employees' emails even from outside, and that means a lot of official information," Islam says. "It also steals other accounts credentials, all user passwords stored by Firefox for auto login."

In true internet style, the infection is carried by a phishing attack claiming to be a meeting of the “Association of Southeast Asian Nations” and exploits a Word vulnerability to steal its data.

You can see a sample of the document (in Cyrillic) below

Click on any images in this post for a larger full size view

All of the collected data is sent to a public message board where it can be seen by anyone without authentication. This means any data that is stollen can be retrieved by anyone.