Cybersecurity researchers discovered a new advanced persistent threat (APT) organization by analyzing one of the most significant security breaches in the U.S. National Security Agency history. Dubbed as the DarkUniverse, the researchers were able to link the hacking group to previous breaches and attacks that spanned between 2013 to 2017.
Kaspersky Lab, a cybersecurity firm and anti-virus company, published a report on the existence of the new unidentified hacking group in a blog post dated November 5, 2019. The report indicated that the new APT is linked to the ItaDuke activities that have actively targeted Uyghur and Tibetans since 2013.
Links to the ShadowBrokers and ItaDuke hacking groups
The discovery of DarkUniverse was ushered by the analysis of the operations of a group of hackers who was previously known as the ShadowBrokers.
In April 2017, ShadowBrokers published heir well-known ‘Lost in Translation’ leak that was developed by the NSA and was later stolen by the hackers. The dispatch is notorious for the publication of Eternal Blue exploit, which aided the campaigns like WannaCry and NotPetya, both of which have plagued the world, leading to millions of dollars of losses.
In the Lost In Translation publications, researchers were able to notice an interesting script that scans for traces of other APTs in the compromised system.
Back in 2018, the researchers have found the APT described in the script as the 27th function. This APT is what the experts then dubbed as the DarkUniverse. The report revealed that the new APT used PDF exploits for dropping malware and Twitter accounts to store C2 server URLs.
Researchers said that the DarkUniverse actors are related to the ItaDuke activities in 2013 “due to unique code overlaps.” The researchers concluded the association with “medium confidence” as they have seen enough similarities in the campaign implementations in the two APTs.
Personalizing the attacks
The cyberattacks and surveillance campaigns carried out by the DarkUniverse were described as sophisticated as the researchers have discovered that the hackers have gone to great lengths in order to infect and spy on its targets.
The report reveals that the campaign includes a spearphishing vector to spread malware. The hacking group prepares a personalized letter for each target to grab their attention and prompt them to open an attached malicious Microsoft Office document.
The malware has the capability of collecting a wide range of information over an extended period of time. The data it collects includes:
- Keyboard input
- Email conversations
- Credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail, and Windows Live Mail, Windows Live Messenger, and the Internet Cache
- Files from specific directories
- Data from remote servers and shared resources
- A list of files of remote servers if specified credentials are valid
- Information from the Windows registry
The researchers have recorded a total of 20 victims geolocated in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates. The group has targeted both civilian and military organizations, and the researchers said that they believe the number of victims between 2009 and 2017 is far much greater than what they have recorded.
Furthermore, the researchers said that for the span of eight years, the hackers had been seen as evolving their techniques. They had started developing a fully functional from scratch in 2009 and has evolved to be entirely different strain by the time it was compiled in 2017.
“The attackers were resourceful and kept updating their malware during the full life cycle of their operations, so the observed samples from 2017 are totally different from the initial ones from 2009,” Kaspersky researchers wrote in the blog post. “The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artifacts for their operations.”