More malware discovered from drone cyberattacks
Despite the exposure of the cyberespionage, Operation Beebus is still active, although its infrastructure has changed
By Antone Gonsalves
April 24, 2013 — CSO — Researchers following a cyberespionage campaign apparently bent on stealing drone-related technology secrets have found additional malware related to the targeted attacks.
FireEye researchers have been tracking so-called "Operation Beebus" for months, but only last week reported the connection to unmanned aircraft often used in spying. Drones have also been used by the Obama administration to assassinate leaders of the Al-Qaeda terrorist group.
FireEye researcher James Bennett, who was the first to make the drone connection, said on Tuesday that he has found two new malware associated with the attack, bringing the total to four.
The first two were versions of the same malware called Mutter. The new malware includes one that uses the same custom encryption scheme, but a different command-and-control protocol. The fourth malware is completely different from Mutter, but uses the same C&C infrastructure.
Bennett has yet to fully analyze the new malware, which he hopes will provide "more threads to follow."
Operation Beebus is a cyberespionage campaign that FireEye has linked to the infamous Comment Crew, which security firm Mandiant has identified as a secret unit of China's People Liberation Army. The hacker group attempts to steal information from international companies and foreign governments.
Bennett reported in a blog last week that he had uncovered evidence of cyberattacks against a dozen organizations in the U.S. and India. The attacks against academia, government agencies and the aerospace, defense and telecommunication industries targeted individuals knowledgeable in drone technology.
[Also see: Chinese Army link to hack no reason for cyberwar]
The spear-phishing campaign included sending email that contained decoy documents meant to trick recipients into clicking on the file, which would download the malware. One such document was an article about Pakistan's unmanned aerial vehicle industry written by Aditi Malhotra, an Indian writer and associate fellow at the Centre for Land Warfare Studies in New Delhi.
Once downloaded, the Mutter malware opened a backdoor to the infected systems in order to receive instructions from C&C servers and to send stolen information. To avoid detection, Mutter is capable of remaining dormant for long periods of time, so that it will eventually be categorized as benign by malware analysis systems.
Despite the exposure, Operation Beebus is still active, although its infrastructure has changed. All but one of the domain names studied by Bennett is no longer in use, but several IP addresses are still active, probably being used with other domains.
"We are still seeing active communications going out with this Mutter malware, so we do know that it's still going," Bennett said.
One in five data breaches are the result of cyberespionage campaigns, according to the latest study by Verizon. More than 95% of cases originated from China, with targets showing an almost fifty-fifty split between large and small organizations.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.