A Chinese-speaking APT group, Calypso, has
actively been targeting state institutions in six countries, hacking network
perimeters and injecting a program to gain access to internal networks,
according to a report
from researchers at Positive Technologies Expert Security Center.
The researchers found that the hackers
either exploited a remote code execution vulnerability MS17-010 or used stolen
“These attacks succeeded largely because
most of the utilities the group uses to move inside the network are widely used
by the specialists everywhere for network administration,” said Denis
Kuvshinov, lead specialist in threat analysis at Positive Technologies. “The
group used publicly available utilities and exploit tools, such as SysInternals,
Mimikatz and EternalRomance.
Using these widely available tools, the attackers infected computers on the
organization’s LAN and stole confidential data.”
Research indicates the campaign is the
work of an Asian group. In one attack, the malfeasants, who are believed to
have originated in Asia, used PlugX malware, a signature of APT groups from
China and some of the attackers inadvertently revealed their IP addresses from
Positive Technologies experts said the
group used the Byeby trojan used in a 2017 SongXY malware campaign.
Institutions in India were hit the hardest,
followed by Brazil and Kazakhstan, Russia and Thailand and Turkey.