Security analysts from Check Point Software Technologies have released a report detailing the discovery of a long-running cyber espionage campaign targeting defense contractors, telcos and educational institutions.
Researchers at the firm’s malware and vulnerability research group uncovered the attack nicknamed 'Volatile Cedar', which uses a custom-made malware trojan implant codenamed Explosive.
According to Check Point, this campaign has successfully penetrated a large number of targets across the globe, including defense contractors, telecommunications and media companies, as well as educational institutions. It allowed attackers to monitor victims' actions and steal data.
The first evidence of Explosive was detected in November 2012, with several versions since. Check Points analysts believe Volatile Cedar to be a highly targeted and well-managed campaign, perhaps nation state run. Its targets are carefully chosen, confining the infection spread to the bare minimum required to achieve the attacker’s goal while minimising the risk of exposure.
Check Point regional security engineer director A/NZ, Phillip Dimitriu, told ARN he admired the sophistication of the operation.
“I like it, I think it’s clever. It extracts the information using key-logging, using clipboard logging, run commands and shell scripts to essentially collate information from multiple sources.”
“Where there are massive amounts of information to be extracted, the attacker sets up SSH tunnels to connect to the appropriate control server and take the information away.”
“The elements of information that have been made available shows that the attack does not appear to be financially motivated and instead is focused on extrapolating information.”
Similarly, Check Point head of incident response and threat intelligence, Dan Wiley, described the series of attacks as very interesting.
“The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.”
“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems. It’s time for organisations to be more proactive about securing their networks.”