Cyber-spy groups, whose numbers are growing with little constraint, have begun hacking each other.
Hellsing, a small and technically unremarkable cyber-espionage group, was subjected to a spear-phishing attack by another threat actor last year, before deciding to strike back with its own malware-infected emails.
The aftermath of the dust-up was uncovered by security researchers from Kaspersky Lab, who estimate further incidents along the same lines are likely.
The Hellsing hacker group used spear-phishing emails with malicious attachments to distribute cyber-espionage malware among different organisations.
If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating itself and more.
Hellsing has claimed around 20 victims, with its malware detected and blocked in Malaysia, the Philippines, India, Indonesia and the US. The group, which has been active since at least 2012, focuses on targeting government and diplomatic organisations.
Naikon, a cyber-espionage group targeting organisations in the Asia-Pacific region, decided to hack Hellsing. This prompted a strike back.
The intended victim of Naikon (a member of Hellsing) questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment.
Shortly thereafter the target forwarded to the Naikon sender an email containing the Hellsing's malware. The method of counter-attack indicates that Hellsing wanted to identify the Naikon group and gather intelligence on it, Kaspersky researchers explain.
Kaspersky Lab researchers became aware of the incident during the course of an investigation into Naikon.
"In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists," said Costin Raiu, director of global research and analyst team at Kaspersky Lab in a statement.
"However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," he added.
A writeup of the spy-on-spy action — complete with malware source code snippets — can be found in a blog post by Kaspersky Lab here. ®