‘Dropping Elephant’ Is A New Cyber Espionage Group

Uploaded on 2016-08-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

Kaspersky Lab is monitoring a new cyber espionage group that it calls Dropping Elephant. A surprising — and somewhat worrying — feature is that this group achieves a high success rate with only low tech attacks. In fact, it has been so successful that it seems to have expanded it group membership from (probably) just India to include new members on the Pacific West Coast of America.

“The modus operandi of ‘Dropping Elephant’ (also known as ‘Chinastrats‘) could hardly be called sophisticated,” Kaspersky says. “The attackers rely heavily on social engineering and low-budget malware tools and exploits.”

The attacks start with mass emails to targets it considers relevant, hundreds of thousands between November 2015 and June 2016. There is no malicious content at this stage; but if the email is opened, a simple ping request sends type of browser, IP address, device and location data to the attackers.

From this data, Dropping Elephant selects specific targets for spear-phishing. This time weaponized Word or PowerPoint documents are sent as attachments containing exploits for the CVE-2012-0158 and CVE-2014-6352 vulnerabilities. Both have been patched by Microsoft, but with social engineering both are still used successfully. Alternatively, lures in the emails seek to send the targets to a watering hole disguised as a political news site.

Once a vulnerability has been successfully exploited, malware is downloaded to steal and exfiltrate spreadsheets, PowerPoint presentations, PDF files and any login credentials that are saved within the browser. One of the backdoors makes some attempt to obfuscate the C&C locations by disguising them within comments to articles on legitimate websites.

“This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors,” notes Kaspersky.

Analysis of attack activity leads Kaspersky to believe that the group is working out of India, or at least the UTC+5 and UTC+6 time zones. However, “since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding, among others, to West Coast working hours in the US. This is likely to be the result of increased headcount in the Dropping Elephant team.”

The primary targets for Dropping Elephant would seem to be “Chinese-based government and diplomatic entities and any individuals connected to them, as well as partners of these organizations in other countries.” Kaspersky says there is no proof to suggest that a nation-state might be involved with the group.

The good news about these attacks are that they are low-tech and can easily be spotted. The bad news is that the group is still successful.

“Despite using such simple and affordable tools and exploits,” comments Vitaly Kamluk, head of Kaspersky’s APAC research center, “the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon.”

He also warns that just because the group isn’t using any sophisticated, hard-to-detect tools currently, this could change at any time.

InfoSecBuddy: http://bit.ly/2aCbK5o

« The Race To Regulate Self-Driving Cars
Deep Mystery: Looking For MH370 »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Magnet Forensics

Magnet Forensics

Magnet Forensics' family of digital forensics products are used globally by thousands of law enforcement, military, government and corporate customers.

CERT-SE

CERT-SE

CERT-SE is the national and governmental Computer Security Incident Response Team of Sweden.

Sogeti

Sogeti

Sogeti deliver solutions that enable digital transformation and offer cutting-edge expertise in Cloud, Cybersecurity, Digital Manufacturing, Quality Assurance, Testing, and emerging technologies.

Volexity

Volexity

Volexity is a leading provider of threat intelligence and incident suppression services and solutions.

Relution

Relution

Relution is the Unified Endpoint Management platform for innovative companies and educational institutions. It enables you to manage your mobile apps and devices easily and securely.

OcuCloud

OcuCloud

OcuCloud protects businesses' valuable information in the cloud, preventing security breaches caused by employees and remote vendors.

DFI

DFI

DFI is a global leading provider of high-performance computing technology across multiple embedded industries.

Sompo International

Sompo International

Sompo International is a global specialty provider of property and casualty insurance and reinsurance services including Cyber & Network Risk.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

Cylera

Cylera

Cylera is a Healthcare IoT cybersecurity and intelligence company built in close partnership with healthcare providers.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

Iris Powered by Generali

Iris Powered by Generali

Iris Powered by Generali is an identity theft resolution provider. Our offering combines expert assistance and support with user-friendly identity protection technology.

DeepStrike

DeepStrike

DeepStrike is a leading cybersecurity firm specializing in human-powered, high-quality penetration testing designed to protect businesses from evolving cyber threats.

Parafox Technologies

Parafox Technologies

Parafox Technologies delivers data security, compliance, and risk solutions to help businesses grow securely and stay audit-ready.

CAL IT Group

CAL IT Group

CAL IT Group is committed to overhauling your business and serving as your dedicated IT department by providing the best Managed IT services in Orange County.