War in Cyberspace — Hellsing vs. Naikon
The elite cyber crime group Hellsing strikes back after attack by the rival APT crew known as Naikon. This is the first documented case of APT-on-APT attack.
What happens when an APT group running a cyber espionage campaign target a second distinct APT group?
The events occurred last year, when a group involved in a cyber espionage campaign dubbed Hellsing sent a spear phishing email to a rival hacking team, the Naikon APT, which is one of the Asian largest APT gangs.
“The email in this case originates from a government email … and is directed to the Naikon attackers. They decided to strike back at the attacker, a spy-on-spy sort of move,” explained Costin Raiu, head of Kaspersky’s global research and analysis team. “They [Hellsing] are interested in infecting other APTs and learning about their operations,”
Naikon APT has been active for several years, its operations targeted entities in various industries including governments and the military. The hacking crew targeted diplomats, law enforcement, and aviation authorities in many Asian countries such as the Philippines, Malaysia, Cambodia, and Indonesia.
The singular discovered was made by experts at Kaspersky Team that provided a detailed analysis of the attack. The Hellsing APT attached a payload used to serve a powerful malware that infects the victim’s PC.
Researchers at Kaspersky Lab explained that Hellsing surgically selected about 20 organizations, limiting its operation to the US, Malaysia, the Philippines, Indonesia, and India. The name Hellsing comes from the project title left by a developer in a malicious source code used by the hacking team.
Experts at Kaspersky consider very singular the circumstance and believe that it could be the beginning of a new dangerous trend in the criminal ecosystem, they defined the activities as the APT-on-APT attacks.
“The targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. But, considering the timing and origin of the attack, the current case seems more likely to be an APT-on-APT attack.” reports the analysis published by Kaspersky.
The battle between the two APT groups began last February when Naikon run a spear phishing campaign on a number of adversaries, including the Hellsing. On the other end, the Hellsing group once discovered the malicious campaign and its source started its counteroffensive.
In March 2014, a few weeks after Naikon targeting other APT groups, including the Hellsing APT, the team launched a spear phishing campaign on most of the countries involved in the search for the disappeared Malaysia Airlines Flight MH370. The campaign targeted a wide range of entities, including institutions with access to information related to the disappearance of MH370.
The analysis of the command and control infrastructure revealed that Hellsing has ties to fellow other groups, including PlayfulDragon, Mirage, Vixen Panda, Cycldek and Goblin Panda.
I suggest you carefully read this report that details an operation that is considered the first APT-on-APT attack that has been witnessed by the experts.
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
This article originally appeared here. Republished with permission of the author.