Blind Eagle (APT-C-36) used RAT Imminent Monitor computers to upload malware and steal trade secrets from Colombian Government Agencies, last week.
Imminent Monitor computers allow for hackers to control windows servers remotely as administrative users. APT-C-36 took advantage of this, targeting corporations in the finance and oil industries in Columbia. Qihoo 360 discovered the attacks started as far back as April 2018 where hackers disguised themselves as the National Cyberpolice and the General Prosecutor’s Office of Columbia. They stole the intellectual property of both governmental agencies and large corporations within Columbia. Hackers used phishing emails to target institutions such as the Colombian Bank of the West.
The rise of espionage attacks
Geopolitically motivated cyber-attacks once existed with governmental agencies used to achieve this. However, tactics are changing. Corporations are a platform hackers use to obtain espionage objectives indirectly. As a result, this form of cyber attacks is rising significantly. Phishing attacks is an area that is extremely vulnerable for organisations and hackers know this. Lack of resources results in staff succumbing to this manipulation and effectively causes the organisation to fall victim to such attacks.
Palo Alto Networks security identified another APT actor, named Windshift, was behind a series of spear -phishing attacks targeting the Middle Eastern government agencies. The attacks occurred between January and May of last year. The usual remote takeover and extraction of credentials and files took place.
Researchers who discovered Windshift, Dark matter, noticed it targeted specific individuals, similar to Bahamut. Bahamut was yet another phishing campaign that targeted the Middle East and South Asia with espionage intent. It surfaced in 2017 and ran propaganda sites. Their attacks consisted of impersonating platform providers ultimately manipulating users to divulge their passwords. In similarity to Bahamut, Windshift stole credentials pertaining to diplomats and political figures. When researchers discovered Bahamut, they likened it to Operation Kingphish campaign and linked it to Urpage in the same year.
The similarity in tactics not only emphasises on the shift to targeting corporations for trade secrets, but it also highlights the way organisations are used to aid its mission to get the information needed from nation-state agencies and vice versa. With APT-C-36 for example, emails were made to look like they came from companies such as Chevron. With the latest attack, hackers impersonated the Tax and Customs Administration to attack the Institute for the Blind. Cyber attacks targeting the Middle East prompted users to reset their user passwords for accounts with large corporations such as Google and Apple iCloud email accounts.
Following 2018 trends and patterns, researchers globally forecasted that there will be a rise in espionage-related attacks and effectively phishing attacks, and therefore does not come as a surprise.