‘Dropping Elephant’ Is A New Cyber Espionage Group

Kaspersky Lab is monitoring a new cyber espionage group that it calls Dropping Elephant. A surprising — and somewhat worrying — feature is that this group achieves a high success rate with only low tech attacks. In fact, it has been so successful that it seems to have expanded it group membership from (probably) just India to include new members on the Pacific West Coast of America.

“The modus operandi of ‘Dropping Elephant’ (also known as ‘Chinastrats‘) could hardly be called sophisticated,” Kaspersky says. “The attackers rely heavily on social engineering and low-budget malware tools and exploits.”

The attacks start with mass emails to targets it considers relevant, hundreds of thousands between November 2015 and June 2016. There is no malicious content at this stage; but if the email is opened, a simple ping request sends type of browser, IP address, device and location data to the attackers.

From this data, Dropping Elephant selects specific targets for spear-phishing. This time weaponized Word or PowerPoint documents are sent as attachments containing exploits for the CVE-2012-0158 and CVE-2014-6352 vulnerabilities. Both have been patched by Microsoft, but with social engineering both are still used successfully. Alternatively, lures in the emails seek to send the targets to a watering hole disguised as a political news site.

Once a vulnerability has been successfully exploited, malware is downloaded to steal and exfiltrate spreadsheets, PowerPoint presentations, PDF files and any login credentials that are saved within the browser. One of the backdoors makes some attempt to obfuscate the C&C locations by disguising them within comments to articles on legitimate websites.

“This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors,” notes Kaspersky.

Analysis of attack activity leads Kaspersky to believe that the group is working out of India, or at least the UTC+5 and UTC+6 time zones. However, “since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding, among others, to West Coast working hours in the US. This is likely to be the result of increased headcount in the Dropping Elephant team.”

The primary targets for Dropping Elephant would seem to be “Chinese-based government and diplomatic entities and any individuals connected to them, as well as partners of these organizations in other countries.” Kaspersky says there is no proof to suggest that a nation-state might be involved with the group.

The good news about these attacks are that they are low-tech and can easily be spotted. The bad news is that the group is still successful.

“Despite using such simple and affordable tools and exploits,” comments Vitaly Kamluk, head of Kaspersky’s APAC research center, “the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon.”

He also warns that just because the group isn’t using any sophisticated, hard-to-detect tools currently, this could change at any time.

InfoSecBuddy: http://bit.ly/2aCbK5o

« The Race To Regulate Self-Driving Cars
Deep Mystery: Looking For MH370 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Cyber Security Academy - University of Southampton

Cyber Security Academy - University of Southampton

An industry/University partnership established to advance cyber security through world class research, teaching excellence, industrial expertise and training capacity.

Korea Information Security Industry Association (KISIA)

Korea Information Security Industry Association (KISIA)

KISIA is a non-profit organization for the information security industry in Korea.

GuardiCore

GuardiCore

GuardiCore is an innovator in internal data center security and breach detection and is transforming security inside data centers and clouds.

Prove & Run

Prove & Run

Prove & Run provides a patented software development toolchain that is specifically forged to deal with the complex security properties of sensitive software components.

European Cyber Security Conference

European Cyber Security Conference

EU Cyber Security Conference will debate what Europe’s response to evolving threats in a dynamic global risk landscape should look like and what the next steps for all actors of the ecosystem.

Conduent

Conduent

Conduent delivers mission-critical technology services and solutions on behalf of businesses and governments. Solution areas include digital risk and compliance.

Bessemer Venture Partners (BVP)

Bessemer Venture Partners (BVP)

Bessemer Venture Partners was born from innovations that literally forged modern building and manufacturing. Today, our team of investors works with people who want to create revolutions of their own.

Trusted CI

Trusted CI

Trusted CI, the NSF Cybersecurity Center of Excellence is comprised of cybersecurity experts who have spent decades working with science and engineering communities.

DataFleets

DataFleets

DataFleets is a privacy-preserving data engine that unifies distributed data for rapid access, agile analytics, and automated compliance.

SightGain

SightGain

SightGain is the only integrated risk management solution focused on cybersecurity readiness using real-world attack simulations in your live environment.

OnSecurity

OnSecurity

OnSecurity replaces the overhead of traditional penetration testing firms with a simple online interface, making it easy to book tests as and when needed.

Slamm Technologies

Slamm Technologies

Slamm Technologies is a trusted IT firm that offers Cyber Security Support, Corporate IT Solutions and Professional IT Training courses with international certification.

CAT Labs

CAT Labs

CAT Labs is building digital asset recovery and cybersecurity tools to enable governments to fight crypto crime and to protect investors from hacks, fraud and scams.

Siometrix

Siometrix

Siometrix addresses digital identity fraud. It steals your attacker's time and prevents many prevalent attack vectors.

Daisy Corporate Services

Daisy Corporate Services

Daisy is one of the largest providers of communications and IT solutions across the UK, with a portfolio spanning unified communications, cloud, cyber security and resilience.

New Relic

New Relic

After inventing application performance monitoring (APM), New Relic stands at the forefront of observability with the most advanced platform for eliminating digital interruptions.