Security Market Segment LS
Tuesday, 30 June 2020 21:20

Bitdefender identifies state-sponsored cyber criminal enterprise, StrongPity Featured

By

Cyber security researcher and tools provider, Bitdefender, today publicly released its discovery of a sophisticated and dangerous cybercriminal enterprise named StrongPity which it believes to be government-sponsored and working at population surveillance and intelligence exfiltration.

The StrongPity attacks have been aggressively targeting victims in Turkey and Syria and expanding globally. Bitdefender researchers believe these are government-sponsored based on the severity and sophistication of the attacks.

StrongPity is also known as Promethium and is a threat group assumed active since at least 2012. Information was first reported in October 2016 with details on attacks against users in Belgium and Italy.

In 2018 the attackers shifted their focus elsewhere, compromising Turkish telecommunication companies to target hundreds of users in Turkey and Syria.

Bitdefender researchers believe these attacks are government-sponsored and are used for population surveillance and intelligence exfiltration, and further, they are used as support for the geopolitical conflicts in the region.

StrongPity's preferred injection vector is a watering hole technique which delivers malicious version of legitimate installers to certain targets. By monitoring this threat closely Bitdefender’s researchers have managed to investigate it from several angles which include the technical setups of command and control servers as well as insight into the victim’s profile.

Bitdefender states most of the targets are located in Istanbul and the area of Turkey close to the Syrian border, via the use of a pre-defined IP list. The researchers believe the attacker is interested especially in the Kurdish community and sees the threat as relevant to the Turkey and Kurdish conflicts.

The samples used in one of the attackers’ campaigns have timestamps starting October 1st 2019, coinciding with the launch of the Turkish offensive into north-eastern Syria, code-named Operation Peace Spring. Bitdefender says there is no direct forensic evidence suggesting StrongPity operated in support of Turkish military operations, however the victim’s profile coupled with the timestamps on the analysed samples may indicate a relationship.

Bitdefender also identified a three-tiered command and control infrastructure for covering the cybercrime group’s tracks and thwarting forensic investigation., and found the existence of fully-working Trojan versions of popular tools that have been compiled during the ordinary working hours of 9 am to 6 pm UTC +2. This deepens Bitdefender’s belief StrongPity is a sponsored and organised developer team paid to deliver certain projects.

Bitdefender identified servers which serve the poisoned installer used in the initial compromise, and servers for exfiltrating information and interacting with the victim devices. The regular, untouched, installer was made available if the user’s IP address was not in the pre-defined IP list StrongPity was targeting.

These poisoned applications span many common and well-known applications including archivers, file recovery applications, remote connections applications, utilities, and even security software.

Once a device is compromised payload components pertaining to persistency, command and control communication and file searching are all deployed on the machine. Based on instructions the exfiltration component runs a file searching mechanism responsible for looping through drives looking for files with specific extensions. If found they are placed in a temporary zip archive, split into hidden .sft encrypted files, sent to the command and control server then ultimately deleted from disk.

Bitdefender has summarised the findings of its research in a whitepaper titled StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure. The company states an up-to-date list of indicators of compromise is included in its Bitdefender Advanced Threat Intelligence products.

Bitdefender says StrongPity's infection success rate is alarming, warning the potential risk that exists for Australia if ever Australian organisations were added to StrongPity’s IP address range list. If this occurred attackers are capable of commanding and controlling communication, exfiltrating sensitive data and then deleting all information to cover their tracks.

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

talentCRU FREE WEBINAR INVITE - Cybersecurity in COVID-19 times and beyond

With the mass transition to remote working, our businesses are becoming highly dependent on the Internet.

So, it’s no surprise that we’ve seen an increase in cyberattacks.

However, what’s more concerning is that just 51% of technology professionals are highly confident that their cybersecurity teams are able to detect and respond to these threats.

Join us for this free online roundtable where our experts discuss key cybersecurity issues IT leaders are facing during the pandemic, and the challenges that will likely emerge in the coming years.

JOIN WEBINAR!

David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments