Cybersecurity company Kaspersky Lab recently unmasked a cyberespionage group targeting multiple diplomatic and government entities in Asia, particularly in China and its international affairs.
According to the investigation conducted by Kaspersky Lab's Global Research and Analysis Team in February 2016, the cyber-espionage group named "Dropping Elephant" relied heavily on social engineering and "low-budget" malware tools and exploits to conduct their activity.
Kaspersky said the group allegedly operates from India but found no proof that a nation-state might be involved in this operation. The analysis of activity revealed that attackers probably operated in the time zone of either UTC+5 or UTC+6.
Kaspersky Lab researchers also discovered a new activity for the group in a new geographical area including Pacific Standard Time zone, which corresponds to West Coast working hours in the United States. According to Kaspersky, this is likely the result of the increased headcount in the team.
Meanwhile, the target profile created by the researchers revealed the Dropping Elephant group focused on two main types of organisations and individuals: Chinese-based government and diplomatic entities and any individuals connected to them, and the partners of these organisations abroad.
Overall, the researchers identified several hundred targets worldwide, with most located in China while others were from or related to Pakistan, Uruguay, Taiwan, Bangladesh, Sri Lanka, Australia and USA.
"Despite using such simple and affordable tools and exploits, the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon. Organisations and individuals that match this actor's target profile should be especially cautious. The good news is that this group hasn't yet been spotted using really sophisticated, hard-to-detect tools. This means that their activity is relatively easy to identify. This can of course change at any time," said Vitaly Kamluk, Head of Research Centre in Asia Pacific, GReAT, Kaspersky Lab.
Kaspersky said they are willing to work with computer emergency response teams (CERTs) and law enforcement agencies of affected countries to notify the owners and mitigate the threat.
How does the group work?
According to Kaspersky Lab, Dropping Elephant initially mass-mails a number of email addresses it has collected with spear-phishing messages containing references to remote content which is downloaded from an external source.
Once the target opens the mail, a "ping" request is sent to the attackers' server which sends a message containing basic information about the recipient such as IP address, browser type, and both the device used and its location.
The attackers will then filter out the most valuable targets and send a more targeted spear-phishing email attached with either a word document with CVE-2012-0158 exploit or PowerPoint slides with CVE-2014-6352 in the Microsoft Office.
Sign up for MIS Asia eNewsletters.