State sponsored cyber gangsters Hidden Cobra have been linked to a global data reconnaissance campaign aimed at big fish targets, including critical infrastructure and the entertainment, finance, health care and telecommunications industries.
An earlier McAfee cybersecurity report tied the crew to an attack on Turkish banks in early March, an initial foray followed subsequently by new attacks on the financial industry. McAfee said the assault on the Turkish financial system had similar markings to previous attacks by Hidden Cobra conducted against the SWIFT global financial network.
They’re all part of a global malware offensive the security provider has dubbed “Operation GhostSecret.” It’s not clear if we’re talking about a centralized action or scattered cells but whatever it is, it’s ambitious. The scheme now spans 17 countries across numerous industries, possibly including the notorious 2014 Sony Pictures attack, McAfee said in its threat analysis, Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide.
It’s a complicated, meticulous affair, the security specialist said, in which implants, tools and malware variants are used to steal information from infected systems, all specifically “designed to evade detection and deceive forensic investigators.” Although the hackers use a mix of mechanisms, they all have in common some functionality and code and are grouped by family.
The security company’s researchers have narrowed down the culprits that have the resources and capabilities to take part in a wide scale campaign of this sort. Still, they are a little mystified. “The threat actors have been explicit about who can connect from which IP address,” McAfee said. “Reviewing the WHOIS information for these IP addresses shows us that there is some correlation in geography, although there are no additional clues why these addresses were used.”
These cyber crooks are brazen, McAfee suggested, pointing out that the publicity accompanying the Turkish bank attacks didn’t slow them down one bit. In fact, it may have given Hidden Cobra some steam: “The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools,” McAfee wrote in a blog post. “Our investigation uncovered an unknown infrastructure connected to recent operations with servers in India using an advanced implant to establish a covert network to gather data and launch further attacks.”
McAfee said it currently is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities.