‘Dropping Elephant’ Is A New Cyber Espionage Group

Uploaded on 2016-08-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

Kaspersky Lab is monitoring a new cyber espionage group that it calls Dropping Elephant. A surprising — and somewhat worrying — feature is that this group achieves a high success rate with only low tech attacks. In fact, it has been so successful that it seems to have expanded it group membership from (probably) just India to include new members on the Pacific West Coast of America.

“The modus operandi of ‘Dropping Elephant’ (also known as ‘Chinastrats‘) could hardly be called sophisticated,” Kaspersky says. “The attackers rely heavily on social engineering and low-budget malware tools and exploits.”

The attacks start with mass emails to targets it considers relevant, hundreds of thousands between November 2015 and June 2016. There is no malicious content at this stage; but if the email is opened, a simple ping request sends type of browser, IP address, device and location data to the attackers.

From this data, Dropping Elephant selects specific targets for spear-phishing. This time weaponized Word or PowerPoint documents are sent as attachments containing exploits for the CVE-2012-0158 and CVE-2014-6352 vulnerabilities. Both have been patched by Microsoft, but with social engineering both are still used successfully. Alternatively, lures in the emails seek to send the targets to a watering hole disguised as a political news site.

Once a vulnerability has been successfully exploited, malware is downloaded to steal and exfiltrate spreadsheets, PowerPoint presentations, PDF files and any login credentials that are saved within the browser. One of the backdoors makes some attempt to obfuscate the C&C locations by disguising them within comments to articles on legitimate websites.

“This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors,” notes Kaspersky.

Analysis of attack activity leads Kaspersky to believe that the group is working out of India, or at least the UTC+5 and UTC+6 time zones. However, “since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding, among others, to West Coast working hours in the US. This is likely to be the result of increased headcount in the Dropping Elephant team.”

The primary targets for Dropping Elephant would seem to be “Chinese-based government and diplomatic entities and any individuals connected to them, as well as partners of these organizations in other countries.” Kaspersky says there is no proof to suggest that a nation-state might be involved with the group.

The good news about these attacks are that they are low-tech and can easily be spotted. The bad news is that the group is still successful.

“Despite using such simple and affordable tools and exploits,” comments Vitaly Kamluk, head of Kaspersky’s APAC research center, “the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon.”

He also warns that just because the group isn’t using any sophisticated, hard-to-detect tools currently, this could change at any time.

InfoSecBuddy: http://bit.ly/2aCbK5o

« The Race To Regulate Self-Driving Cars
Deep Mystery: Looking For MH370 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IBackup

IBackup

IBackup is a Web Based Online Backup service provider.

Agari

Agari

Agari is the Trusted Email Identity Company™, protecting brands and people from devastating phishing and socially-engineered attacks.

Norwegian Center for Information Security (NorSIS)

Norwegian Center for Information Security (NorSIS)

NorSIS) is an independent organization that works to increase knowledge and understanding of information security for businesses and individuals.

Advisen

Advisen

Advisen is the leading provider of data, media, and technology solutions for the commercial property and casualty insurance market including cyber risk.

Exabeam

Exabeam

Exabeam is a global cybersecurity leader that delivers AI-driven security operations.

Cynerio

Cynerio

Cynerio develops cybersecurity protections for medical devices, comparing network behavior with a database of medical workflows.

Cybertron

Cybertron

Cybertron services include real-time monitoring and incident response and a cyber range for competency development.

Abion

Abion

At Abion (formerly BRANDIT), we empower your business by providing comprehensive brand protection and web security services.

Yellow Brand Protection

Yellow Brand Protection

Yellow Brand Protection operates 24/7 to protect brands' Intellectual Property (IP) from infringements on all kinds of online distribution channels.

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

CSRI solves the cyber security threats of tomorrow, today. We work with industry and government leaders on innovative research that has real-world impact.

FYEO

FYEO

FYEO is a threat monitoring and identity access management platform for consumers, enterprises and SMBs.

Techmentum

Techmentum

At Techmentum, our mission is to utilize technology to help companies succeed. Our expertise includes fully managed IT services, cybersecurity, cloud, and custom technology solutions.

CXI Solutions

CXI Solutions

CXI Solutions: Your trusted partner in cybersecurity. We offer a full range of cybersecurity solutions to protect your business from digital attacks and virtual threats.

Anzen Technology Systems

Anzen Technology Systems

Anzen create software solutions which allows organisations to utilize the public cloud for sensitive or classified information, whilst increasing data security and retaining data sovereignty.

Alcatel-Lucent Enterprise (ALE)

Alcatel-Lucent Enterprise (ALE)

We are Alcatel-Lucent Enterprise. Our mission is to make everything connect with digital age networking, communications and cloud solutions.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.