FireEye experts have been tracking the Operation Beebus campaign for a few months now, and their latest research suggests that whomever is responsible for the attacks is ultimately interested in stealing drone technology-related secrets.
Operation Beebus is an APT-style attack campaign targeting government agencies in the United States and India as well as numerous aerospace, defense, and telecom industry organizations. The attackers are targeting these groups with a yet unseen backdoor-Trojan called Mutter that exploits known vulnerabilities.
The domains and command and control servers running this campaign are located all over the world and FireEye believes that the infamous Comment Crew is responsible for the campaign. Comment Crew is the same group that Mandiant recently uncovered as APT 1, a secret unit of China’s People’s Liberation Army tasked with hacking into and stealing information from international companies and governments.
In at least one case, FireEye observed a spear phishing attack that deployed a malicious attachment masquerading as a document containing details about the Pakistani military’s advances in drone technology. The document is attributed to Aditi Malhotra, an Associate Fellow at the Centre for Land Warfare Studies (CLAWS) in New Delhi. Malhorta is apparently a real person with writings that can be found online, but it is not clear if she actually wrote the document or if the attackers are just using her name. A second document is all mixed up, with a contact email from Andrews Air Force Base in Maryland and a physical address in Pakistan. Other documents used are either blank or contain unreadable characters.
Interestingly, the malware is making use of an evasion technique similar to one deployed by those that attacked South Korean banks and broadcasters last month. In essence, the attackers designed the malware so that it delays execution and remains inactive on host systems for as long as possible. The idea here, FireEye researcher James Bennett explains, is that if the malware waits long enough, then the scanner will give up on its analysis and pass the malware off as benign software. In this way, the malicious software is better at avoiding the dynamic detection methods deployed by most malware scanners.
Bennett claims that Operation Beebus is designed to pilfer all sorts of information related to air-, sea-, and land-based drone technology. Bennett says that he has seen the campaign attempt to steal research, design, and manufacturing specifications for drone vehicles and subsystems from more than 20 target organizations. At least one of those targets was, according to Bennett, an academic institution receiving military funding for its unmanned vehicle research.
The Mutter Backdoor itself, which is among the common threads across the entire Operation Beebus campaign, comes in two varieties. Both are DLL droppers. You can read the technical details along with the rest of the FireEye analysis here.