Kaspersky Lab Shares the Chronicles of Hellsing: a Spy vs Spy Story

A lot of cybercriminal stories seem like stuff we only get to see in movies. But I had the privilege to listen to a real life story of how Kaspersky Lab was able to record a rare and unusual example of one cybercriminal attacking another. Read on because this is interesting …

There was this small and technically unremarkable cyberespionage group called Hellsing, which targets mostly government and diplomatic organizations in Asia. In 2014, the group was subjected to a spear-phishing attack by another threat actor and decided to strike back.

Naikon's targets

Kaspersky Lab believes that this incident could be the beginning a of new trend in criminal cyberactivity: the Advanced Persistent Threat (APT) wars. This discovery was made by Kaspersky Lab experts while researching into the activity of Naikon, a cyberespionage group that also targets organizations in the Asia-Pacific region.

Naikon’s targets were extremely wide-ranging but includes institutions in the Philippines like:

• Office of the President
• Armed Forces
• Office of the Cabinet Secretary
• National Security Council(s)
• Office of the Solicitor General
• National Intelligence Coordinating Agency
• Civil Aviation Authority
• Department of Justice
• National Police
• Presidential Management Staff

One of Naikon's targets spotted an attempt to infect its systems with a spear-phishing email carrying a malicious attachment. The target replied to the sender to question the authenticity of the email. Dissatisfied with the reply, the target did not open the attachment. Shortly after, the target forwarded to the sender an email containing the target's own malware.

Vicente Diaz, Principal Security Researcher of Kaspersky Lab's Global Research and Analysis Team (GReAT) shared that the move triggered an investigation, which led to the discovery of the Hellsing APT group. The counter-attack method indicated that Hellsing wanted to identify the Naikon group and gather intelligence on it. Upon deeper analysis, Kaspersky Lab revealed a trail of spear-phishing emails from Hellsing that have malicious attachments designed to spread espionage malware among different organizations.

Vicente Diaz

If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files as well as updating and uninstalling itself. According to Kaspersky Lab's observations, Hellsing has been targeting close to 20 organizations.

With most of the victims located in Malaysia and the Philippines, Kasperksy has detected and blocked Hellsing malware in both countries as well as in India, Indonesia, and the U.S. The attackers were found to be very selective in terms of what types of organizations to target and attempt to mostly infect government and diplomatic entities.

Hellsing’s infected email attachments related to the Philippines found by Kaspersky Lab experts had the following file names:

• Letter from Paquito Ochoa to Albert Del Rosario,the Current Secretary of Foreign Affairs of the Philippines.7z
• PAF-ACES Fellowship Program.scr
• Update SND Meeting with the President re Hasahasa Shoal Incident.scr
• Washington DC Directory November 2012-EMBASSY OF THE PHILIPPINES.zip

Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab, finds the targeting of the Naikon group by Hellsing as fascinating in what he describes as some sort of a vengeful vampire-hunting 'Empire Strikes Back' style. "In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists," he shares. "However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack."

Hellsing's targets

According to Kaspersky Lab analysis, the Hellsing threat actor has been active since at least 2012 and remains active. So, to protect against Hellsing attacks, Kaspersky Lab recommends the following basic security best practices:

• Don't open suspicious attachments from people you don't know
• Beware of password protected archives which contain SCR or other executable files inside
• If you are unsure about the attachment, try to open it in a sandbox
• Make sure you have a modern operating system with all patches installed
• Update all third party applications such as Microsoft Office, Java, Adobe Flash Player, and Adobe Reader

FYI, Kaspersky Lab products successfully detect and block the malware used by both the Hellsing and Naikon actors. Learn more about the Empire Strikes Back espionage campaign by visiting Securelist.com.

According to Diaz, almost half or 44.1% of Kaspersky users in the Philippines have been infected by viruses this year, placing the Philippines 47th among 176 countries surveyed. Kaspersky Lab’s data also revealed that the Philippines hosted a total of 6,043 incidents during the first quarter of 2015, putting the Philippines at the 78th place worldwide.

“When we talk about hosted malware, we have around 6,000 incidents in the Philippines for 2015. What is hosted malware? It means that some websites are infected and these websites are here in the Philippines. The servers are physically here,” Diaz explained.

Web malware, on the other hand, was able to infect a total of 19.6% users in the Philippines. This percentage put the country at 83rd place worldwide.

Jimmy Fong with Diaz

On the other hand, Jimmy Fong, Channel Sales Director of Kaspersky Lab Southeast Asia, noted the economic growth of the Philippines and its possible implications to the future of cyberthreat landscape of the country. “As you see, Philippines is becoming richer and I see the value in the Philippines as well. The Philippines is calmer and the financial institutions are not aware of this kind of cyberthreats but someday, they will be for sure. This is why we’re starting to promote awareness about threats that may come to the Philippines in the future.  Or maybe it’s already here but nobody knows,” he said.

Fong also said that Kaspersky Lab, as the leading provider of security solutions in the B2C market in Southeast Asia, is focusing more on the B2B sector amid recent cyberattacks against financial institutions. Recent reports showed the cybercriminal group called Carbanak stole almost $1 billion from 100 banks around the world.

How Carbanak was able to steal $1B from banks

“I think these kind of incidents actually happen everywhere in the world as long as there is money. So I don’t think that this may not happen in this area. It can happen everywhere. It happened in Moscow, it may happen in Southeast Asia and it may happen in the Philippines as well,” Fong said.