A five-year campaign primarily focused on extracting sensitive information from Japanese oil, gas, and electric utilities was outlined by researchers on Tuesday.
Referred to as Operation Dust Storm (.PDF) by researchers at Cylance, the campaign has managed to stay persistent over the years, and especially lately, by using dynamic DNS domains and customized backdoors.
While the group has recently narrowed its sights on Japan, it’s also attacked industries in South Korea, the United States, and Europe, the firm claims.
Activity surrounding the campaign really picked up steam in 2015 when a handful of backdoors with hardcoded proxy addresses and credentials surfaced. Researchers traced those addresses back and noticed a slew of corporations across the oil, natural gas, construction, and transportation sector had been compromised.
New SPEAR research: Extended campaign against Japanese critical infrastructure: https://t.co/jq8fwhObyQ #opduststorm pic.twitter.com/kG4X6hmJiG
— Cylance, Inc. (@cylanceinc) February 23, 2016
There was a wave of attacks that year, including a major Japanese automaker in February, and a Japanese subsidiary of a South Korean electric utility and other critical infrastructure outfits in July and October.
The campaign also began using custom Android backdoors in 2015 – at first the Trojan forwarded SMS messages, and later in the year, specific files, from infected devices to C&C servers.
Like many groups in the early 2010s, early iterations of the Dust Storm’s activity revolved around zero days in Internet Explorer and Flash.
For example, in 2011 the attackers used an IE 8 vulnerability to infiltrate networks. They were also seen sending victims spear phishing emails with Word documents rigged with a zero day Flash exploit, CVE-2011-0611. According to Cylance, in 2012 the attackers used the same Flash exploit, coupled with another IE exploit, CVE-2012-1889, to hit victims.
In addition to the IE and Flash vulnerabilities, the group relied mostly on phishing attacks in its infancy . In 2011 it tried to siphon up Yahoo and Windows Live credentials though domains it set up and later that year capitalized on the Libyan crisis with emails about Muammar Gaddafi it sent to US government and defense targets.
While the backdoor dropped through these exploits made headlines years ago, the Cylance claims that reports around the group have mostly dissipated since.
It was Dust Storm’s foray into duplicitous backdoors and proxies targeting Japanese resources that prompted researchers to investigate it in earnest last year.
“As the group became more and more focused on Japan, less and less of their tactics and malware appeared in reports or write-ups. The targets identified escalated both in size and in the scope of affected industries,” the report, penned by the firm’s Director of Threat Intelligence Jon Gross, reads.
While the Android Trojans only hit victims in Japan and South Korea, Gross acknowledges that the campaign around the attacks was “massive in comparison to previous operations,” boasting over 200 domains.
Officials with SPEAR, Cylance’s research division, make a point to say that they don’t believe the Dust Storm attacks are intended to destructive, but that they may be part of a long con, with their goals most likely “reconnaissance and long-term espionage.”
While the attacks are ongoing, the group, who worked with the Japanese Computer Emergency Response Team (JP-CERT) to investigate the group, claim the reason they published their research was to hopefully stunt the group’s progress.
Cylance doesn’t directly attribute any group of individuals to the Dust Storm attacks but does hint that from March 2013 to August 2013 it observed a “remarkable decrease” in the about of malware it was able to gather surrounding the campaign. It acknowledges that Mandiant’s APT 1 report, which was published in February of that year, follows more or less the same timeline, however.
In that report Mandiant outlined a series of cyber espionage campaigns carried out over the course of several years on a broad palette of victims by a Chinese threat organization, APT1.