For most of us, the word \u2018espionage\u2019 conjures up visions of immaculately dressed men and women armed, not just with the traditional pistol and silencer, but with lots of highly sophisticated gadgetry. Add the word \u2018cyber\u2019, and the aura of sophistication increases, as we envisage the levels of technological finesse required to discreetly intercept and steal delicate political secrets.<\/p>\n
On this basis, the cyberespionage group \u2018Dropping Elephant\u2019 (aka Chinastrats) is a bit of a disappointment, both in terms of its name and of its approach.\u00a0 Until, that is, you look at just how successful their operations, despite using relatively simple techniques, have been.<\/p>\n
An Indian-speaking threat actor, Dropping Elephant chooses targets mainly in the Asian region, paying particular attention to Chinese government\/diplomatic organizations \u2013 and also to foreign embassies and diplomatic offices in China, including those of Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia and USA. It employs a toolset and techniques mainly based around well-executed social engineering, the exploitation of long-closed vulnerabilities and the adoption of legitimate software.<\/p>\n
Dropping Elephant: Inelegant Espionage\u2026 #APT<\/p>Tweet<\/a><\/blockquote>\n
Hand me that axe, please, then put your neck on this block\u2026<\/h3>\n
Dropping Elephant\u2019s standard attack scheme starts with two-stage phishing. The first stage is usually a mass email containing only a relatively harmless document, which nevertheless has an important role to play in the attack. When opened, the document sends a confirmatory \u2018ping\u2019 to the attackers\u2019 command & control servers, together with \u00a0basic information about the attacked system that helps further identify the target. The second stage is usually an email carrying either an exploit-containing document (.docx or .pps) leveraging older vulnerabilities in Microsoft Office, or a link to a legitimate-looking \u2018watering hole\u2019 website dedicated to politics and offering a well-crafted political news digest in the form of a .pps (Powerpoint Slideshow) file, also exploit-fitted and containing a malicious payload.<\/p>\n
When the user, lured by the email\u2019s or website\u2019s apparent credibility, puts his or her neck on the block by opening the file, the embedded payload is triggered. It downloads and executes a number of additional tools that start searching for any important-looking documents they find on the victim\u2019s hard drive, including Word files, Excel tables, Powerpoint presentations and PDFs, complementing these with saved credentials they can extract from the browser. This information is then syphoned away to the attackers\u2019 servers.<\/p>\n
These attacks, and others like them, rely on a set of vulnerabilities which are generally assumed to be closed.\u00a0 But it was never possible for Microsoft to completely disable every piece of potentially dangerous functionality in MS Office. Given enough persuasiveness and the victim\u2019s genuine interest in the well-crafted bait, users still can and do click absently through multiple warnings and confirmations<\/strong> \u2013 straight to their own \u2013 and the whole organization\u2019s \u2013 doom.<\/p>\n
The consequences of a data breach in a sensitive area like government\/politics are hard to underestimate. But it\u2019s also important to understand that it\u2019s not just organizations directly related to politics or government that can become targets.\u00a0 To reach their supposed victims, the Elephant\u2019s operators may choose the long way round, starting by compromising their victim\u2019s trusted contacts and business connections. So if your company has any ties with government institutions \u2013 best keep your corporate security well prepared for any unexpected elephantine visit.<\/p>\n
\u00a0<\/h3>\n
To Defend, You Must Arm Yourself<\/h3>\n
Dropping Elephant\u2019s operators may not be very inventive in their choice of techniques, but they\u2019re well versed in the uses of social engineering, and do their homework thoroughly before setting out to attack a particular target. To reduce their chances for success to a minimum, bearing in mind that their most important ally is probably going to be your own hapless employee, a multilayered approach to security is necessary. Chinastrats operators dangle highly convincing and carefully tailored informational baits, so close attention should be paid to the sources of any email that doesn\u2019t fit the everyday working pattern. Security awareness training, such as offered by Kaspersky Lab, <\/a>\u00a0can develop the necessary defensive reflexes in your employees \u2013 invaluable in spotting and repelling the forms of attack that Dropping Elephant prefers.<\/p>\n
It\u2019s worth mentioning that Kaspersky Lab\u2019s experts have long-standing relationships with government and law enforcement organizations worldwide. They not only help investigate cyber-attacks, but also conduct professional training<\/a>, teaching employees the ways of cybersecurity, from the very basics to the high zen of malware analysis and digital forensics. This training is available not just to government institutions, but is to any company working in the field of cybersecurity or looking to create its own Security Operations Center.<\/p>\n
In the meantime, as we can see, even already patched vulnerabilities can pose a considerable danger \u2013 so human-agnostic exploit mitigation technologies are a must. The Automatic Exploit Prevention<\/a> technology, available in all tiers of Kaspersky Endpoint Security for Business<\/a> is up to the task, preventing even the 0-day exploits from completing their dirty work.<\/p>\n
But the timely patching of vulnerabilities remains critical. One of the most complex IT tasks, vulnerability management requires enhanced awareness and automation \u2013 both of which are offered by Kaspersky Lab\u2019s Systems Management (Available both as part of Kaspersky Endpoint Security for Business Advanced<\/u> and as a standalone solution )<\/a>. This technology considerably simplifies the process for IT specialists, reducing the pressure of work and freeing up time to think and plan more strategically during their everyday duties.<\/p>\n
When you\u2019re the custodian of some really important secrets, being strategic in planning your defenses is not a luxury but an absolute necessity. Keeping track of shifts in the threat landscape using Kaspersky Lab\u2019s Intelligence Reports and Datafeeds<\/a> allows you to be better prepared for what\u2019s to come. And running the ever-alert Kaspersky Anti Targeted Attack Platform<\/a> \u2013 constantly watching over different levels of your IT infrastructure including network, endpoints and mailing system \u2013 helps provide early warnings when the enemy is at the gate.<\/p>\n
Kaspersky Lab\u2019s products detect components of Dropping Elephant\u2019s toolset under the following verdicts:<\/p>\n