New Cyber Espionage Campaign Targets Central Asian Data Center
Cybersecurity researchers have identified a covert espionage campaign aimed at a national data center in a yet-to-be-disclosed Central Asian nation, involving sophisticated watering hole attacks. Believed to have been active since the fall of 2017, the campaign was recently highlighted by Kaspersky Labs, who attribute it to a Chinese-speaking hacker group known as LuckyMouse.
LuckyMouse, which has also been identified as Iron Tiger, EmissaryPanda, APT 27, and Threat Group-3390, has a long-standing history of cyber operations, including previous attacks earlier this year where they deployed Bitcoin mining malware against Asian countries. This group is noted for its targeted attacks that have historically compromised substantial amounts of confidential data belonging to executives at U.S.-based defense firms.
In this latest operation, LuckyMouse shifted its focus to compromise a national data center, reportedly to gain wide-ranging access to governmental resources. Researchers revealed that the attackers injected malicious JavaScript into the official government websites linked to the targeted data center. This technique, commonly employed in watering hole attacks, enables cybercriminals to exploit unsuspecting visitors to these websites by deploying malware when they access compromised pages.
While LuckyMouse has previously exploited a known Microsoft Office vulnerability (CVE-2017-11882) to weaponize documents, there is currently no evidence that this specific technique was utilized in the attack against the Central Asian data center. Instead, the initial vectors for this attack remain unclear, although experts suspect the hackers might have employed watering hole or phishing strategies to jeopardize employee accounts connected to the data center.
The malware identified in this campaign is HyperBro, a Remote Access Trojan (RAT) known for allowing hackers to maintain persistence within a compromised system for remote administration purposes. According to Kaspersky’s findings, traces of HyperBro were uncovered in the targeted data center by mid-November 2017. This infection coincided with the redirection of users from government websites to a malicious domain associated with the attackers.
Further analysis indicates that the compromised websites directed users to frameworks like the Browser Exploitation Framework (BeEF) and the ScanBox reconnaissance suite, both of which can collectively perform functions similar to those of a keylogger. These actions highlight the advanced capabilities of LuckyMouse in leveraging web traffic for malicious purposes.
The primary command and control (C&C) server utilized for this operation was hosted on an IP address linked to a Ukrainian Internet Service Provider, specifically through a MikroTik router. Researchers suspect that this router was specifically compromised to carry out the campaign without detection, reinforcing the notion of an extensive and well-planned attack.
In reviewing methodologies through the lens of the MITRE ATT&CK framework, several adversary tactics were potentially applied in this operation, including initial access through compromised websites, persistence enabled by the HyperBro Trojan, and the gathering of sensitive information.
As businesses increasingly face threats from sophisticated cyber actors, the implications of such state-sponsored espionage campaigns cannot be understated. Understanding the nuances of these attacks can help organizations fortify their defenses against the evolving landscape of cyber threats.
