Naikon’s targets were extremely wide-ranging but includes institutions in the Philippines like:
- Office of the President
- Armed Forces
- Office of the Cabinet Secretary
- National Security Council(s)
- Office of the Solicitor General
- National Intelligence Coordinating Agency
- Civil Aviation Authority
- Department of Justice
- National Police
- Presidential Management Staff
Vicente Diaz, Principal Security Researcher of Kaspersky Lab's Global Research and Analysis Team (GReAT) shared that the move triggered an investigation, which led to the discovery of the Hellsing APT group. The counter-attack method indicated that Hellsing wanted to identify the Naikon group and gather intelligence on it. Upon deeper analysis, Kaspersky Lab revealed a trail of spear-phishing emails from Hellsing that have malicious attachments designed to spread espionage malware among different organizations.
If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files as well as updating and uninstalling itself. According to Kaspersky Lab's observations, Hellsing has been targeting close to 20 organizations.
Hellsing’s infected email attachments related to the Philippines found by Kaspersky Lab experts had the following file names:
- Letter from Paquito Ochoa to Albert Del Rosario,the Current Secretary of Foreign Affairs of the Philippines.7z
- PAF-ACES Fellowship Program.scr
- Update SND Meeting with the President re Hasahasa Shoal Incident.scr
- Washington DC Directory November 2012-EMBASSY OF THE PHILIPPINES.zip
- Don't open suspicious attachments from people you don't know
- Beware of password protected archives which contain SCR or other executable files inside
- If you are unsure about the attachment, try to open it in a sandbox
- Make sure you have a modern operating system with all patches installed
- Update all third party applications such as Microsoft Office, Java, Adobe Flash Player, and Adobe Reader
“When we talk about hosted malware, we have around 6,000 incidents in the Philippines for 2015. What is hosted malware? It means that some websites are infected and these websites are here in the Philippines. The servers are physically here,” Diaz explained.
Web malware, on the other hand, was able to infect a total of 19.6% users in the Philippines. This percentage put the country at 83rd place worldwide.
|Jimmy Fong with Diaz|
Fong also said that Kaspersky Lab, as the leading provider of security solutions in the B2C market in Southeast Asia, is focusing more on the B2B sector amid recent cyberattacks against financial institutions. Recent reports showed the cybercriminal group called Carbanak stole almost $1 billion from 100 banks around the world.
|How Carbanak was able to steal $1B from banks|