There's a new hacking team out there that's proving surprisingly good at getting into government systems using social engineering tactics coupled with zero-day attacks in assaults that can last as long as a year.
Dubbed Strontium by researchers at the Microsoft Malware Protection Center, the hackers have been active since 2007, but this year have been particularly determined going after servers in government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European governments.
The group spends a lot of time researching their targets on social media and email lists, trying to find people with access to a system they want to penetrate. Microsoft researchers say several thousand people have been subject to attack.
The first stage in an intrusion is carried out using phishing emails, typically a password reset email that looks convincing. To trick the unwary, the group sends them from domains that are similar to the proper address, such as accounts.g00gle.com or electronicfrontierfoundation.org.
Once in, the hackers search through email logs and system information to find people who have admin access to the target server. They then send a second round of emails, usually linked to current events, to encourage the target to click on a URL containing malware.
Strontium were quick to exploit the zero-day flaws exposed when the Hacking Team got its servers pwned, and also to reverse-engineer patches to exploit security flaws within days of their release. Adobe Flash Player, the Oracle Java Runtime Environment (JRE), Microsoft Word, Internet Explorer, and some components of the Windows kernel are popular choices with the group.
The attackers use custom malware that not only installs a Trojan on the system, but also writes itself into the registry files to make cleanup more difficult. The software has many modules that include key logging, email address and file harvesting, information gathering about the local computer, and remote communication with command and control servers.
The malicious code can communicate back to the hackers via HTTP, SMTP, and POP3. The coders were smart in masking the system, typically having it communicate with legitimate-sounding addresses like softupdates.info and malwarecheck.info.
"Strontium is a very challenging adversary for a targeted institution to defend against: it possesses a broad range of technical exploitation capabilities, significant access to resources such as previously undiscovered zero-day exploits, and the determination to keep up an attack for months or years until it succeeds," Microsoft said in its report.
Redmond doesn't say who the attackers might be, but given the amount of time they are willing to spend on an attack, the choice of targets, and the sophistication of its software, a nation state hacking team seems likely. ®