APT: Cloud Atlas

Cloud Atlas

STATUS:Active
TYPE:Trojan
DISCOVERY:August 2014
TARGETED PLATFORMS:Windows, Android, iOS, Linux
FIRST KNOWN SAMPLE:2014
NUMBER OF TARGETS:11-100

TOP TARGETED COUNTRIES:
Russia, Kazakhstan, Belarus, India, The Czech Republic

Special Features:
CloudAtlas represents a rebirth of the RedOctober attacks.
Some of the victims of RedOctober are also targeted by CloudAtlas.
Both Cloud Atlas and RedOctober malware implants rely on a similar construction, with a loader and a final payload that is stored, encrypted and compressed in an external file.
CloudAtlas implants utilize a rather unusual C&C mechanism - all malware samples communicate with accounts from a cloud services provider.
The Microsoft Office exploit doesn’t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.


TARGETS:
Diplomatic organizations/embassies
Government entities

APT:Hacking Team RCS

Hacking Team RCS

STATUS:Active
TYPE:Backdoor, Trojan, Rootkit
DISCOVERY:2011
TARGETED PLATFORMS:Windows, OS X, BlackBerry, Windows Mobile, Android, iOS
FIRST KNOWN SAMPLE:2008
NUMBER OF TARGETS:101-500

TOP TARGETED COUNTRIES:
Russia, China, Italy, Vietnam, USA, Turkey, Iraq, Mexico, Germany, India

Special Features:
“Business-to-government” spyware
Can monitor any action performed using a personal computer/mobile device.
Modules for computers and mobile devices
Self-replication via USB flash drive
Infection of virtual VMware machines by copying itself into the autorun folder on the virtual drive
Ability to self-update
Samples are signed by legal authorities
local infections via USB cables while synchronizing mobile devices
Specific malicious implant for every concrete target
At least 39 Apple devices supported by the iOS mobile modules
Both jailbroken and non-jailbroken iPhones can be infected: an attacker can conduct a remote jailbreak through already infected computers

TARGETS:
Activists
Journalists
Politicians
Criminal suspects

APT:SabPub

SabPub
STATUS:Inactive since 2012
TYPE:Backdoor
DISCOVERY:April 2012
TARGETED PLATFORMS:OS X
FIRST KNOWN SAMPLE:2012
NUMBER OF TARGETS:11-100

TOP TARGETED COUNTRIES:
India, USA, Western Europe

SPECIAL FEATURES:
MacOS X backdoor
SabPub targeted Dalai-Lama and Tibetan community

TARGETS:
Activists

APT:Regin

Regin
STATUS:Active
TYPE:Complex cyberattack platform, Trojan, Rootkit
DISCOVERY:spring of 2012
TARGETED PLATFORMS:Windows
FIRST KNOWN SAMPLE:2003
NUMBER OF TARGETS:11-100

Top Targeted countries:
Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria, Russia

Special Features:
Regin – the first cyber-attack platform known to penetrate and monitor GSM networks in addition to other “standard” spying tasks.
One particular Regin module is capable of monitoring GSM base station controllers, collecting data about GSM cells and the network infrastructure.
The Regin platform uses an incredibly complex communication method between infected networks and command and control servers, allowing remote control and data transmission by stealth.
Specific Regin targets include individuals involved in advanced mathematical/cryptographical research

TARGETS
Telecoms
Government entities
Multi-national political bodies
Financial institutions
Academia/Research
Specific individuals

APT: NetTraveler

NetTraveler
STATUS:Active
TYPE:Cyberespionage toolkit
DISCOVERY:2013
TARGETED PLATFORMS:Windows
FIRST KNOWN SAMPLE:2004
NUMBER OF TARGETS:101-500

Top targeted countries:
Mongolia, India, Russia. In total, infections were identified in 40 countries.

Special Features:
The crew behind NetTraveler specifically targets Tibetan/Uyghur activists.
NetTraveler infects high-profile targets: space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications.
More than 22 gigabytes of stolen data is stored on NetTraveler’s C&C servers.
Office and Java exploits were used.


Targets:
Activists
Energy, oil and gas companies
Academia/Research
Private companies
Government entities
Diplomatic organizations/embassies
Military

APT: Equation

Equation:
STATUS:Active
TYPE:Complex cyberattack platform
DISCOVERY:2014
TARGETED PLATFORMS:Windows
FIRST KNOWN SAMPLE:2002
NUMBER OF TARGETS:500-1,000

Top Targeted countries:
Iran, Russia, Pakistan, Afghanistan, India, China, Syria, Mali, Lebanon, Yemen

Special Features:
The ability to infect the hard drive firmware
The use of “interdiction” technique to infect victims
Mimicking to criminal malware.

Targets:
Nanotechnology
Financial institutions
Nuclear industry
Activists
Academia/Research
Government entities
Energy, oil and gas companies
Military
Telecoms
Diplomatic organizations/embassies
Trade and commerce
Aerospace
Mass media and TV
High technology companies
Education
Transportation

APT - Hellsing

Hellsing:
STATUS:Active
TYPE:Remote administration tool
DISCOVERY:Summer 2014
TARGETED PLATFORMS:Windows
FIRST KNOWN SAMPLE:2012
NUMBER OF TARGETS:11-100

Top Targeted countries:
Malaysia, Philippines, India, Indonesia, USA

Targets:
Government entities
Diplomatic organizations/embassies

APT: Carbanak

Carbanak:
STATUS:Active
TYPE:Backdoor
DISCOVERY:2014
TARGETED PLATFORMS:Windows
FIRST KNOWN SAMPLE:2013
NUMBER OF TARGETS:11-100


Special features:
First ever criminal APT.
Carbanak cybergang was able to steal $1bn from 100 financial institutions worldwide.
The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users.
The largest sums were grabbed by hacking into banks and stealing up to ten million dollars in each raid.


Top 10 countries:
Russia, USA, Germany, China, Ukraine, Canada, Taiwan, Hong-Kong, United Kingdom, Spain, Norway, India, France, Poland, Pakistan, Nepal, Morocco, The Czech Republic, Switzerland, Bulgaria, Australia, Iceland, Brazil

Targets:
Financial institutions

APT: CosmicDuke

CosmicDuke:
STATUS:Active
TYPE:Backdoor
DISCOVERY:2013
TARGETED PLATFORMS:Windows
FIRST KNOWN SAMPLE:April 2012
NUMBER OF TARGETS:101-500

Special features:
The TinyBaron/CosmicDuke custom backdoor is compiled using a customizable framework called "BotGenStudio", which has sufficient flexibility to enable/disable components when the bot is constructed.
The attackers use strong self-protection to prevent antimalware solutions from analyzing the implant and detecting its malicious functionality via an emulator. It also complicates malware analysis.
CosmicDuke targets individuals involved in the traffic and selling of illegal and controlled substances. These victims have been observed only in Russia.

Top 10 countries affected:
 Georgia, Russia, USA, Great Britain, Kazakhstan, India, Belarus, Cyprus, Ukraine, Lithuania. Others include Azerbaijan, Greece and Ukraine.

Targets:
Diplomatic organizations/embassies
Energy, oil and gas companies
Telecoms
Military
Specific individuals