The dark underworld of Cyber-espionage has come to alight. This follows the discovery of a cyber-espionage group which has been in operation since around 2015. The group has operated in secret since at least 2015 but were exposed this week. It is believed the group uses a new form of malware, so-called ‘Felismus’ to launch attacks on various governments and government organizations. Symantec named the group ‘Sowbug’. The group is believed to have conducted undercover attacks and document thefts from foreign policy institutions.
These attacks also orchestrated against government institutions and diplomatic targets in South America including Argentina, Ecuador, and Peru. Attacks were also planned against organizations and government departments in South East Asia including Malaysia. In a report, Symantec described the group as well resourced. The group is also capable of infiltrating multiple targets simultaneously. The report also stated that the group would often operate outside of working hours.
Evidence of Sowbug first appeared in March this year when there was a directed attack on an unnamed target in Asia. Experts were able to connect earlier campaigns, using analysis of the malware found, to the group and this in return was indicative of the group being in operation for several years before their discovery. The company also stated that it was uncommon to see attacks on South American countries. This was when compared to the USA, Europe, and Asia.
It is believed that the group used fake, malicious software updates to stage their attacks. Although this is their believed strategy it is unclear how the hackers managed to access computer networks. The group may have used “starloader” tools to deploy extra malware on victims.The “starloaders” are spread as updates for Adobe and Acrobat. This includes credential-thieving software and keyloggers. According to a report from Symantec, in 2015 the group searched for very specific government data during one of its attacks.
In the attack, the group attempted to extract Word documents stored on a server compromised by the malware. The malware infiltration of the group likes to maintain a “long-term presence” on computers. Once a computer is infected the malware lies in wait, sometimes for months at a time.
The computer malware renames files to similar names used by software and then places these in directory trees which may be mistaken for those used by the legitimate software. Symantec stated this by doing this the malware can camouflage itself to users and software alike, lying undetected. The attackers also carried out their operation outside of business hours which further allowed them to remain undetected.
In one of the cases, the group remained as an undetected presence on the target’s computer for nearly six months. While the origins of the group may never be found, it is believed that they are state-sponsored and well-funded as with many similar groups. These groups can be notoriously difficult to trace. Similar hacking units which previously made headlines include BlackEnergy and Fancy Bear.