A sophisticated cyber espionage group is hacking computers belonging to governments in South America and Southeast Asia, security firm Symantec said in a report Tuesday.
The group, which Symantec has dubbed Sowbug, first came on the company’s radar in March, when it was spotted using previously unknown malware against a network in Southeast Asia. It appears to have been operating since at least 2015.
And while Symantec doesn’t have evidence that the attackers are affiliated with any particular government, the group is using advanced custom software tools and has been spotted looking for data linked to international relations. In one case, Sowbug hacked into a South American country’s foreign ministry, searching for Word documents from the branches handling Southeast Asian relations and working with international organizations.
“It’s definitely something that would be of interest to a nation state,” says Alan Neville, a threat intelligence analyst at Symantec.
Sowbug’s code has been spotted on computers in Argentina, Brazil, Ecuador, Peru, Brunei, and Malaysia, Symantec says. Cyber espionage has been less common in South America so far, the company said in a statement, though the practice has been on the rise across the world.
Russian government-affiliated hackers who meddled with last year’s U.S. election are alleged to have targeted thousands of other groups around the world, and American officials have blamed China in years past for massive international hacking operations. North Korea has been accused of sponsoring the hackers who infamously invaded Sony Pictures Entertainment and even tentatively linked to this spring’s WannaCry ransomware attack. And the U.S. has done its own share of digital espionage, including the widespread operations detailed in the National Security Agency documents released by Edward Snowden and subsequent NSA leaks.
Neville says Symantec hasn’t seen evidence showing where the Sowbug hackers are based. Symantec will likely coordinate with other security companies to get a fuller understanding of where the attackers have struck and how they’re invading the networks they’re targeting.
Once Sowbug is on those networks, a custom tool that Symantec calls “Felismus” allows the group to remotely control computers it has compromised.
“The tool itself essentially acts as a backdoor, and it gives the attackers the ability to upload or download files on infected machines,” Neville says.
Symantec researchers have also seen a tool it calls Starloader that Sowbug seems to use to install additional malware. But how Sowbug is getting access to those machines in the first place remains a mystery.
The group appears to disguise its hacking tools to make them harder for users to spot, giving programs names similar to popular applications from companies like Adobe. It also takes other steps to avoid being detected.
“They’re very careful to operate outside of standard working hours so they remain under the radar as such,” Neville says.
Symantec’s antivirus software has been able to spot Sowbug’s malware for months, and the group has shown signs that it knows it’s been detected, he says. For instance, some of the command-and-control servers the hackers use to control the malware have been shut down. But, says Neville, it’s likely the group will try again with new infrastructure.
“We know that they’re likely sophisticated,” he says. “We know that they’re well-resourced.”