Hundreds of government-related computers in Central Asia and Russia have been the targets of malware attacks since August 2010. The sophisticated virus planted on some of those computers appears designed to mine sensitive diplomatic information and financial data.
The malware has been dubbed the “Lurid Downloader” by hacking experts. Nobody yet knows who the hackers behind the attacks are, who they are working for, or exactly what information they are after. But researchers at TrendMicro, a web security firm, say the culprits appear to be seeking specific documents and spreadsheets from diplomatic missions, research agencies and some businesses.
According to a whitepaper written by Nart Villeneuve and David Sancho; “These attacks are not automated or indiscriminate, nor are they conducted by opportunistic amateurs. Known as targeted malware attacks, these attacks refer to computer intrusions staged by threat actors that aggressively pursue and compromise specific targets.”
Villeneuve and Sancho established that hackers compromised 1,465 computers in 61 different countries. They were able to identify 47 of the victims, including diplomatic missions, space-related agencies, research institutions and media companies.
Targets were sent an email with a virus-infected PDF attachment whose title suggested its contents were related to Tibet. Once opened, the virus was able to “take control of the computer and obtain data from it” by exploiting weaknesses in popular software such as Adobe (used to open PDF files) or Microsoft Office. “The attackers may then move laterally throughout the target’s network and are often able to maintain control over compromised computers for extended periods of time. Ultimately, the attacks locate and ex-filtrate sensitive information from the victim’s network,” TrendMicro explained.
Bevan Lane, an information security and governance consultant with extensive experience in Central Asia, told EurasiaNet.org the virus was being continually adapted to evade detection. “It looks like this is an old virus, 2008, which has gone through many subtle changes to make it different enough for virus software to not pick it up. Email is the primary method used by attackers to infect machines in 2011 and these attacks are often targeted to ensure that they will be successful,” Lane said.
“In this case the attack has been targeted at the Russian/CIS countries and the content tailored to include a subject which targets in these countries will be interested in clicking on like the Dalai Lama. Adobe is a major weakness in terms of security, as many government departments have old adobe versions which hackers can easily attack and install malware on even if there are anti-virus or operating system patches installed,” he added.
TrendMicro is not willing to divulge exactly what entities were targeted, but on June 13-14 of this year, it asserts that government computers in Kazakhstan, Kyrgyzstan, Turkmenistan, and Uzbekistan were infected. Separately, Kazakh government computers located in Germany and Kyrgyzstan, Tajik government computers in Russia, Kyrgyz government computers in Austria, and Chinese government computers in Kazakhstan were compromised in June and July.
Lane said typically these sorts of attacks are after sensitive information. “This attack was targeted to get information from PC’s such as passwords, confidential government information, or even financial information. The attackers would get on the machine and then look for what was useful on it and try and harvest this information. Once the user has clicked on the attachment he will have no idea what is happening on his machine,” he said.
”As to who is conducting this attack as per the TrendMicro report, we can guess and it would normally either be another government or private groups of hackers who are getting this information for financial gain. They can sell the information to interested parties or use it to find out confidential information that the governments are trying to protect.
”It’s a murky world and the bad guys are finding new ways all the time and we need to educate our users not to click on email attachments unless they are certain who it is from and be vigilant in terms of updating software such as windows patches, anti-virus and then adobe,” Lane added.
Deirdre Tynan is a Bishkek based journalist specializing in Central Asian affairs.