‘Dropping Elephant’ Is A New Cyber Espionage Group

Uploaded on 2016-08-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

Kaspersky Lab is monitoring a new cyber espionage group that it calls Dropping Elephant. A surprising — and somewhat worrying — feature is that this group achieves a high success rate with only low tech attacks. In fact, it has been so successful that it seems to have expanded it group membership from (probably) just India to include new members on the Pacific West Coast of America.

“The modus operandi of ‘Dropping Elephant’ (also known as ‘Chinastrats‘) could hardly be called sophisticated,” Kaspersky says. “The attackers rely heavily on social engineering and low-budget malware tools and exploits.”

The attacks start with mass emails to targets it considers relevant, hundreds of thousands between November 2015 and June 2016. There is no malicious content at this stage; but if the email is opened, a simple ping request sends type of browser, IP address, device and location data to the attackers.

From this data, Dropping Elephant selects specific targets for spear-phishing. This time weaponized Word or PowerPoint documents are sent as attachments containing exploits for the CVE-2012-0158 and CVE-2014-6352 vulnerabilities. Both have been patched by Microsoft, but with social engineering both are still used successfully. Alternatively, lures in the emails seek to send the targets to a watering hole disguised as a political news site.

Once a vulnerability has been successfully exploited, malware is downloaded to steal and exfiltrate spreadsheets, PowerPoint presentations, PDF files and any login credentials that are saved within the browser. One of the backdoors makes some attempt to obfuscate the C&C locations by disguising them within comments to articles on legitimate websites.

“This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors,” notes Kaspersky.

Analysis of attack activity leads Kaspersky to believe that the group is working out of India, or at least the UTC+5 and UTC+6 time zones. However, “since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding, among others, to West Coast working hours in the US. This is likely to be the result of increased headcount in the Dropping Elephant team.”

The primary targets for Dropping Elephant would seem to be “Chinese-based government and diplomatic entities and any individuals connected to them, as well as partners of these organizations in other countries.” Kaspersky says there is no proof to suggest that a nation-state might be involved with the group.

The good news about these attacks are that they are low-tech and can easily be spotted. The bad news is that the group is still successful.

“Despite using such simple and affordable tools and exploits,” comments Vitaly Kamluk, head of Kaspersky’s APAC research center, “the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon.”

He also warns that just because the group isn’t using any sophisticated, hard-to-detect tools currently, this could change at any time.

InfoSecBuddy: http://bit.ly/2aCbK5o

« The Race To Regulate Self-Driving Cars
Deep Mystery: Looking For MH370 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Puppet

Puppet

Puppet is a leader in IT automation. Our software helps DevOps securely automate configuration and management of machines and the software running on them.

tunCERT

tunCERT

TunCERT is the National Computer Emergency Response Team of Tunisia.

Backup Technology

Backup Technology

Backup Technology is a world leader in the Online Cloud Backup, Disaster Recovery and Business Continuity market.

International Conference on Information Systems Security & Privacy (ICISSP)

International Conference on Information Systems Security & Privacy (ICISSP)

The ICISSP event is a meeting point for researchers and practitioners to address security and privacy challenges concerning information systems.

iLand

iLand

iland is a global cloud service provider of secure and compliant hosting for infrastructure (IaaS), disaster recovery (DRaaS), and backup as a service (BaaS).

Fortress Group

Fortress Group

Fortress is specialized in confidential and discrete recruitment solutions and temporary staffing in the field of security and risk management.

Evolve Secure Solutions

Evolve Secure Solutions

Evolve Secure Solutions is a security focused managed services provider serving private and public customers across the UK.

iONLINE

iONLINE

iONLINE delivers high quality IT services and solutions to businesses in Azerbaijan.

TechStak

TechStak

TechStak is the easiest way for businesses to find and connect with IT Pros and other technology solution providers in their area.

Liongard

Liongard

Liongard automates the management and protection of modern IT environments at scale for IT MSPs - Managed Service Providers and Enterprise IT Operations.

Ackcent Cybersecurity

Ackcent Cybersecurity

Ackcent's mission is to help our clients to protect their critical digital assets by providing them with a portfolio of specialised professional services.

Tyler Technologies

Tyler Technologies

Tyler Technologies is a leading provider of end-to-end information management solutions and services for local governments.

Commonwealth Cyber Initiative (CCI)

Commonwealth Cyber Initiative (CCI)

The Commonwealth Cyber Initiative is establishing Virginia as a global center of excellence at the intersection of security, autonomous systems, and data.

Alacrinet

Alacrinet

Alacrinet is an IT and cyber security consultancy. From penetration testing to fully managed MSSP, our team is focused on knowing the latest threats, preventing vulnerabilities, and providing value.

Dawgen Global

Dawgen Global

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region providing a range of services including Risk Management and Information Systems Assurance.

Texaport

Texaport

Texaport's vision is to be the trusted partner of choice for organisations seeking comprehensive IT management and cutting-edge security solutions.