The recent G20 summit in St Petersburg, Russia has been used as leverage by cyber espionage operators in a phishing operation targeting a range of individuals in the financial, government and economic development sectors. The attack vector consists of an email represented to be from a G20 staffer, and contains a number of documents apparently from the UK government in addition to a disguised malware attachment. The malware installs a Remote Access Trojan (RAT), known as Poison Ivy, which allows the attackers access to the target’s computer. This access can in turn give the attackers access to the wider network upon which the target computer is located.
The Poison Ivy RAT has been used extensively in previous cyber espionage operations, notably in a 2011 campaign targeting intellectual property in the chemical industry. While definitive attribution is problematic in the cyber environment, we assess that these operations and the malware itself are linked to cyber espionage operations conducted by the People’s Republic of China....
In a further cyber espionage development, we are aware of developments in another item of malware known as NetTraveler. The malware has been the cornerstone of a campaign which has targeted more than 350 individuals from more than 40 countries, ranging from political activists to military contractors and embassies. The malware’s controllers have recently updated its attack method, moving from targeting vulnerabilities in Microsoft Office to flaws in the Java software platform. As with the Poison Ivy attacks, we assess that NetTraveler originates from the People’s Republic of China, forming part of a large and persistent cyber espionage campaign targeting a range of government, military, political and commercial targets.
As with the Poison Ivy campaign, NetTraveler is in part spread by phishing emails designed to appear as legitimate communications, and seeking to drive the recipient to open a compromised attachment or click on a compromised link. Another attack vector used is the so-called ‘Watering Hole’ method, where attackers will implant the malware on a website where targets of interest are expected to visit, in the same manner as animal predators wait at watering holes their prey are likely to use. The continuing level of activity in these campaigns, in addition to their range of operations emphasises the need for individuals at all levels within a firm to be risk aware when handling emails and browsing the internet.