News

Asian hack group Calypso attacks government agencies since 2016

Positive Technologies experts discovered the hacker group Calypso, which has been operating since 2016 and the main target of its attacks are government agencies.

The group is currently active in six countries: according to experts, organizations from India (34% of the victims), Brazil, Kazakhstan (18% each), Russia, Thailand (12% each) and Turkey (6%) have already suffered from the group’s actions).

“The PT Expert Security Center first took note of Calypso in March 2019 during threat hunting. Our specialists collected multiple samples of malware used by the group. They have also identified the organizations hit by the attackers, as well as the attackers’ C2 servers”, — write Positive Technologies specialists.

According to the data obtained, the identified APT group presumably has Asian roots and is among the Chinese speakers. In one of the attacks, the group used the PlugX malware, which is traditionally used by many APT groups of Chinese origin, as well as the Byeby Trojan, which was used in the SongXY malware campaign in 2017.

Read also: Steam users expect a wave of phishing attacks

In one of the attacks, the group used Calypso RAT, PlugX and the Byeby Trojan. Calypso RAT is a malware that is unique to the group and will be analyzed in detail in the following text.

Many APT groups of Asian descent have traditionally used PlugX. Using PlugX does not in itself indicate a specific group, but is generally of Asian origin.

In addition, during individual attacks, attackers mistakenly revealed their real IP addresses belonging to Chinese providers.

Attackers broke into the network perimeter and placed on it a special program through which they gained access to the internal networks of compromised organizations.

As the investigation showed, attackers are moving inside the network either by exploiting the remote code execution vulnerability MS17-010 (the well-known exploit EternalBlue is designed specifically for this bug, which also has the identifier CVE-2017-0144), or by using stolen credentials.

Denis Kuvshinov
Denis Kuvshinov

“The success of the attacks of this group is greatly facilitated by the fact that most of the utilities used by it to advance within the network are widely used by specialists around the world for network administration. The grouping used public utilities and exploits, for example SysInternals, Mimikatz; EternalBlue, EternalRomance. With the help of common exploits, criminals infect computers on the organization’s local network and steal confidential data”, – Denis Kuvshinov, a leading specialist of the cyber threat research group, said.

The group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button