APT & Targeted Attacks
Luckycat Redux: Inside an APT Campaign
Our research on Luckycat Redux looked into the activities of the campaign. Our investigation significantly improves the available knowledge about not just this attack specifically, but about how targeted attacks unfold.
Today, we published our paper titled Luckycat Redux, which looked into the activities of the Luckycat campaign. First documented earlier this month by our friends at Symantec, our investigation has significantly improved the available knowledge about not just this attack specifically, but about how targeted attacks unfold. Here are some of our findings:
- To understand targeted attacks, you have to think of them as a campaign. The attacks – which can be linked through careful monitoring and analysis – are only part of the whole campaign. This approach yields vastly more useful information about these attacks. The idea of campaigns and campaign tracking is vital to developing actionable threat intelligence that protects users and networks.
- This campaign had a much more diverse target set than previously thought. Not only did they target military research in India (as earlier disclosed by Symantec), they also targeted sensitive entities in Japan and India, as well as Tibetan activists. They used a diversity of infrastructure as well, ranging from throw-away free hosting sites to dedicated virtual private servers.
- Luckycat has links to other campaigns as well. The persons behind this campaign used or provided infrastructure for other malware campaigns that have also been linked to previous targeted attacks, like the previously uncovered, yet still active, Shadow Network. They also used additional malware as second-stage malware in their attacks. We tracked 90 attacks that were part of this campaign.
- Our careful monitoring allowed us to capitalize on some mistakes made by the attackers, and give us a glimpse of their identities and capabilities. We were able to get an inside view of some of the operational capabilities, including their use of anonymity technology to disguise themselves. Also, we were able to track some of the attackers through their QQ addresses to a famous hacker forum in China known as Xfocus. One individual was identified as previously attending an information security institute in China.
Those interested in the rest of our findings can download the full copy of our paper Luckycat Redux.
Tags