Security researchers have lifted the lid on the Poseidon Group, a global cyber-espionage gang in operation since at least 2005.
Most top-drawer hacking crews are state-sponsored – such as the cyber-units of China’s Peoples Liberation Army or the NSA’s elite Tailored Access Operations team. Unlike these government-backed spies, the Poseidon Group is a commercial entity that’s purely about enriching itself and its members rather than spiriting away state secrets or industrial blueprints.
Poseidon’s weapon of choice is custom malware, digitally signed with rogue certificates to bypass security checks and designed to steal sensitive data from infected systems. The code is written to hijack English- and Brazilian-Portuguese-language Windows PCs, a first in malware created by a gang for targeted attacks, according to security researchers at Kaspersky Lab.
Once a computer is compromised, the malware reports to the command-and-control servers before rifling through the network. This phase will often involve automatically and aggressively collecting a wide array of information including login credentials, group management policies, and system logs to fine tune follow-up attacks.
The information gathered is then used to strongarm companies into hiring the Poseidon Group as a security consultant under the threat of exploiting the stolen information.
The hacking crew targets financial institutions as well as telecommunications, manufacturing, energy and media companies. Victims of this group have been found in the the United States, France, India and Russia, but the vast majority of marks are located in Brazil. Many of the victims have joint ventures or partner operations in the South American country.
The Poseidon Group relies on spear-phishing emails with booby-trapped RTF/DOC files, usually with a human resources lure, that drop a malicious binary into the target’s system when clicked on.
“The Poseidon Group is a long-standing team operating on all domains: land, air and sea. Some of its command and control centres have been found inside ISPs providing Internet service to ships at sea, wireless connections as well as those inside traditional carriers,” said Dmitry Bestuzhev, director of the global research and analysis team at Kaspersky Lab's Latin America wing. “In addition, several of its implants were found to have a very short life span which contributed to this Group being able to operate for such a long time without being detected.”
More details on the group can be found in a post on Kaspersky Lab’s Securelist blog here. ®