Cyberespionage campaign targeting government-affiliated organizations
Posted on 05.06.2013
Kaspersky Lab experts published a new research report about NetTraveler, which is a family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries.

The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions, embassies, the oil and gas industry, research centers, military contractors and activists.

According to Kaspersky Labís report, this threat actor has been active since as early as 2004; however, the highest volume of activity occurred from 2010 Ė 2013. Most recently, the NetTraveler groupís main domains of interest for cyberespionage activities include space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications.

Infection methods

Attackers infected victims by sending clever spear-phishing emails with malicious Microsoft Office attachments that are rigged with two highly exploited vulnerabilities (CVE-2012-0158 and CVE-2010-3333). Even though Microsoft already issued patches for these vulnerabilities theyíre still widely used for exploitation in targeted attacks and have proven to be effective.

The titles of the malicious attachments in the spear-phishing emails depict the NetTraveler groupís dogged effort of customizing their attacks in order to infect high-profile target. Notable titles of malicious documents include:
  • Army Cyber Security Policy 2013.doc
  • Report - Asia Defense Spending Boom.doc
  • Activity Details.doc
  • His Holiness the Dalai Lamaís visit to Switzerland day 4
  • Freedom of Speech.doc.
Data theft and exfiltration

During Kaspersky Labís analysis, its team of experts obtained infection logs from several of NetTravelerís command and control servers (C&C). C&C servers are used to install additional malware on infected machines and exfiltrate stolen data. Kaspersky Labís experts calculated the amount of stolen data stored on NetTravelerís C&C servers to be more than 22 gigabytes.

Exfiltrated data from infected machines typically included file system listings, keyloggs, and various types of files including PDFs, excel sheets, word documents and files. In addition, the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor, and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files.

Global infection statistics

Based on Kaspersky Labís analysis of NetTravelerís C&C data, there were a total of 350 victims in 40 countries across including the United States, Canada, United Kingdom, Russia, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Mongolia, Iran, Turkey, India, Pakistan, South Korea, Thailand, Qatar, Kazakhstan, and Jordan.

In conjunction with the C&C data analysis, Kaspersky Labís experts used the Kaspersky Security Network (KSN) to identify additional infection statistics. The top ten countries with victims detected by KSN were Mongolia followed by Russia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, South Korea, Spain and Germany.

During Kaspersky Labís analysis of NetTraveler, the companyís experts identified six victims that had been infected by both NetTraveler and Red October, which was another cyberespionage operation analyzed by Kaspersky Lab in January 2013.

Although no direct links between the NetTraveler attackers and the Red October threat actors were observed, the fact that specific victims were infected by both of these campaigns indicates that these high-profile victims are being targeted by multiple threat actors because their information is a valuable commodity to the attackers.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th