Security researchers at Symantec have identified a previously undisclosed cyber-espionage group, codenamed Sowbug, that has been active since at least 2015. This group has focused its attacks on government entities across South America and Southeast Asia, aiming to exfiltrate sensitive data from institutions engaged in foreign policy and diplomatic affairs.
Targeting nations such as Argentina, Brazil, Ecuador, Peru, and Malaysia, the Sowbug group employs sophisticated tactics to infiltrate systems. The researchers noted that Sowbug primarily utilizes a malware known as “Felismus” to initiate these attacks. First uncovered in March 2023, Felismus is classified as a remote access Trojan (RAT), characterized by its modular architecture, which enables attackers to conceal its presence and augment its functionality stealthily.
The capabilities of Felismus allow attackers to seize complete control over compromised networks, facilitating actions such as file downloads, executing shell commands, and remote server communications. Through a detailed analysis of the malware, Symantec’s team linked various past campaigns to the Sowbug group, indicating its sustained operation dating back to early 2015, potentially earlier.
In its analysis, Symantec emphasized that Sowbug specializes in compromising governmental organizations, successfully infiltrating targets in Argentina, Brazil, Ecuador, Peru, Brunei, and Malaysia. The group has demonstrated significant resources, capable of executing simultaneous strikes against multiple institutions while often conducting operations outside standard business hours to minimize detection.
Research indicates that Sowbug hackers likely gained initial access through malicious software updates masquerading as legitimate offerings from Windows or Adobe Reader. Additional investigations revealed that the group uses a deployment tool called Starloader to deliver further malware, including credential stealers and keyloggers, onto compromised systems.
Rather than directly affecting legitimate software, Sowbug strategically utilizes filenames similar to those of genuine applications, placing them within directory structures that could easily be mistaken for the original software. This method allows the group to obscure their operations and operate without raising suspicion.
Evidently, the Sowbug group has taken extensive measures to maintain its operational secrecy, including executing espionage activities during off-peak hours to extend its presence on targeted infrastructures for prolonged periods. Notably, one such infiltration resulted in the hacker group remaining undetected on a victim’s network for as long as six months from September 2016 to March 2017.
While the distribution methods used by Sowbug have been documented, the identities of the individuals behind the attacks remain elusive. The complexity and execution of these methods hint at the use of multiple tactics described in the MITRE ATT&CK framework, such as initial access via software updates and persistence through covert operations.
In summary, the emergence of the Sowbug hacking group highlights the increasing sophistication of cyber-espionage threats, particularly against governmental entities. The ongoing vigilance and understanding of current cybersecurity trends are paramount for business owners concerned about safeguarding sensitive information in this evolving landscape.