AlienVault's Jamie Blasco has published analysis of a recently detected spear-phishing campaign that may be geared towards pilfering information related to the U.S. military's highly advanced unmanned aerial spy drones.
"The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations," Blasco blogged.
The computer incident response team at defense contractor Lockheed recently reported they detected an active exploitation of vulnerabilities in Adobe's Reader and Acrobat applications, and the alert has been confirmed by the Defense Security Information Exchange.
"Once again the payload dropped was Sykipot, a known malware that has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007," Blasco wrote.
The vulnerability involves the application's Universal 3D file format (U3D) and could allow attackers the ability to remotely take over an infected system. Exploitation of Adobe products, including the company's Flash player and the ubiquitous PDF file have been a major concern for security professionals for some time. The problems are compounded by the fact that most antivirus software does not detect malicious code in PDF documents.
"In most of the campaigns the malware dropped displays some document or media attractive to the victim. After analyzing most of the campaigns, we discovered a group of samples connecting to the same C&C server that attracted our attention because of the media displayed after the infection... all the content is related with US UCAVs (unmanned combat air vehicle)," Blasco noted.
A great deal of attention has been directed at the sophisticated reconaissance technology since the detection of malware at Creech Air Force Base, one of the primary control centers for the drones, and the subsequent downing of an Lockheed Martin RQ-170 in Iran - the circumstances of which has led to speculation ranging from hacking of control systems to GPS spoofing expoits.
Blasco insinuates that the phishing campaign detected by AlenVault may be related to a larger initiative aimed at collecting information on the drone technology that may have been i operation for some time.
"We can imagine that this campaign could target organizations related to technology used in this kind of vehicles like aerospace and military industries... With the information we collected it appears that this campaign has been running for months. The domain used for the C&C server was registered on 2011-03-04 and we detected two different campaigns with timestamps on 09/08/2011 and 09/26/2011," Blasco wrote.
AlienVault continued their investigation in an effort to pinpoint the most likely source of the phishing operation, and the circumstantial evidence - though not conclusive by any means - seems to point to China.
"After a short investigation on the Netbox webserver, we learnt that it is a windows based webserver that allows developers to compile and deploy ASP web applications into a stand-alone executable file. We also checked Shodan and discovered that there were only a couple of thousand servers running the webserver and nearly the 80% of the servers were located on China," Blasco explains.
"With this information, we thought that there was a good chance to localize these servers on Chinese network ranges. So we began to search Netbox servers running SSL on port 443 with a certificate issued to firstname.lastname@example.org on the main Chinese ISP providers. After some time, we confirmed our suspicion and we found 7 ip addresses belonging to “China Unicom Beijing province network” that matched our criteria. Six of them were pointing to the same webserver (same certificate, same headers, timestamps) so it appears that they are using that machines to proxy the connections as well but we don’t know if one of them was the last C&C server," Blasco concluded.
Many security experts point out the difficulty involved in accurate attribution. Proxies, routing tricks, compromised machines, and spoofed IP addresses can be easily coordinated to give the appearance that an attack is originating far from the actual source.
In many cases, it is nearly impossible to clearly determine the origin of an attack, and even more difficult to ascertain if the event was state-sponsored or instigated by individual actors.
But, based on the information AlienVault has uncovered in their investigation, Blasco seems comfortable that there is in fact some level of Chinese involvement - though he stops short of openly accusing China.
"We shouldn’t jump to assumptions but whoever is behind Sykipot is massively collecting information from targeted victims that covers dozens of industries... On the other hand, we have identified at least six Chinese ip addresses that are used to proxy or host the C&C servers...In some of the samples it contains some Chinese message errors...Apart from this, the “Netbox” (http://www.netbox.cn) webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin," Blasco pointed out.
In reference to the ongoing debate over the concept and likelihood of "cyberwar", Blasco ends his post with a provocative challenge.
"Someone has said that cyberwar does not exist?. Draw your own conclusions," Blasco invited.