‘Dropping Elephant’ Is A New Cyber Espionage Group

Uploaded on 2016-08-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

Kaspersky Lab is monitoring a new cyber espionage group that it calls Dropping Elephant. A surprising — and somewhat worrying — feature is that this group achieves a high success rate with only low tech attacks. In fact, it has been so successful that it seems to have expanded it group membership from (probably) just India to include new members on the Pacific West Coast of America.

“The modus operandi of ‘Dropping Elephant’ (also known as ‘Chinastrats‘) could hardly be called sophisticated,” Kaspersky says. “The attackers rely heavily on social engineering and low-budget malware tools and exploits.”

The attacks start with mass emails to targets it considers relevant, hundreds of thousands between November 2015 and June 2016. There is no malicious content at this stage; but if the email is opened, a simple ping request sends type of browser, IP address, device and location data to the attackers.

From this data, Dropping Elephant selects specific targets for spear-phishing. This time weaponized Word or PowerPoint documents are sent as attachments containing exploits for the CVE-2012-0158 and CVE-2014-6352 vulnerabilities. Both have been patched by Microsoft, but with social engineering both are still used successfully. Alternatively, lures in the emails seek to send the targets to a watering hole disguised as a political news site.

Once a vulnerability has been successfully exploited, malware is downloaded to steal and exfiltrate spreadsheets, PowerPoint presentations, PDF files and any login credentials that are saved within the browser. One of the backdoors makes some attempt to obfuscate the C&C locations by disguising them within comments to articles on legitimate websites.

“This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors,” notes Kaspersky.

Analysis of attack activity leads Kaspersky to believe that the group is working out of India, or at least the UTC+5 and UTC+6 time zones. However, “since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding, among others, to West Coast working hours in the US. This is likely to be the result of increased headcount in the Dropping Elephant team.”

The primary targets for Dropping Elephant would seem to be “Chinese-based government and diplomatic entities and any individuals connected to them, as well as partners of these organizations in other countries.” Kaspersky says there is no proof to suggest that a nation-state might be involved with the group.

The good news about these attacks are that they are low-tech and can easily be spotted. The bad news is that the group is still successful.

“Despite using such simple and affordable tools and exploits,” comments Vitaly Kamluk, head of Kaspersky’s APAC research center, “the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon.”

He also warns that just because the group isn’t using any sophisticated, hard-to-detect tools currently, this could change at any time.

InfoSecBuddy: http://bit.ly/2aCbK5o

« The Race To Regulate Self-Driving Cars
Deep Mystery: Looking For MH370 »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Trusted Computing Group

Trusted Computing Group

TCG was formed to develop, define and promote open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.

Penta Security

Penta Security

Founded on its data encryption technology, Penta Security is a leading provider of web and data security products, solutions and services.

Redshift Consulting

Redshift Consulting

Redshift is an information management and information security consulting company offering a full range of services from infrastructure design to security assessments and network monitoring.

Fedco International

Fedco International

Fedco International is an IT and SCADA ICS Security consultancy firm.

SCADASUDO

SCADASUDO

SCADASUDO is a cyber solution architecture and design office, established by leading experts in the field of OT (Industrial control) and IT (information Technology).

Apozy

Apozy

Apozy replaces a secure web gateway to nullify phishing, malware and impersonation attacks.

Rostelecom

Rostelecom

Rostelecom is Russia’s largest integrated provider of digital services and solutions, covering all market segments including consumer, governmental and private organizations.

MainNerve

MainNerve

MainNerve helps secure networks, applications, people, and facilities… enabling businesses to reduce risk and increase their cybersecurity posture.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ImmuneBytes

ImmuneBytes

ImmuneBytes is a cutting-edge security startup that aims to provide a secure blockchain environment for a dependable and open Web3 ecosystem.

Cyber Suraksa

Cyber Suraksa

We make security simple and hassle-free by offering a sustained and secure IT environment with next-gen cybersecurity solutions through a scalable security-as-a-service model.

Orbis Cyber Security

Orbis Cyber Security

Orbis is one of the leading cybersecurity company in USA. Our cybersecurity specialist defends your data, combat threat, and modernize your compliance.

Cambridge International Systems

Cambridge International Systems

For more than 25 years, Cambridge has been fighting bad actors in both the cyber and physical worlds.

Hilltop Technologies

Hilltop Technologies

Hilltop Technologies is a cybersecurity company specialized in managed security services and consulting tailored for all sectors from higher education to publicly traded companies.

Securitybricks

Securitybricks

Securitybricks specialize in cloud security and compliance. Our mission is to automate regulatory compliance backed by human validation.

iolite Secure

iolite Secure

iolite secures our nation’s infrastructure and critical assets through cyber threat detection, response, and mitigation.