Security researchers have uncovered a multi-year, global targeted attack campaign aimed at lifting sensitive information from major critical infrastructure firms, particularly those in Japan.
Operation Dust Storm has been active since 2010 and initially was detected by several security vendors via its use of the Misdat backdoor, according to Cylance’s SPEAR research team.
Targets included organizations in the US, Europe, Southeast Asia and South Korea. However, over time the group has narrowed its focus to almost exclusively Japanese companies or foreign organizations headquartered in Japan, the report claimed.
“At this time, SPEAR does not believe the attacks were meant to be destructive or disruptive. However, our team believes that attacks of this nature on companies involved in Japanese critical infrastructure and resources are ongoing and are likely to continue to escalate in the future,” it warned.
As the countries targeted narrowed, the industries affected expanded to include electricity generation, oil and natural gas, finance, transportation, and construction.
Given its duration, persistence and apparent focus, the Cylance SPEAR team believes the group is nation state-backed, but refused to speculate on which country. However, China would be an obvious choice given the focus on Japanese entities.
What’s more, the group has become increasingly sophisticated in how it goes about infecting targets - using spear phishing, waterholes, unique backdoors and unique zero-day variants to breach defenses.
It designed a unique S-Type backdoor variant to infect a Japanese car-maker last year, for example, and has also been actively targeting Android devices with customized backdoors.
The report explained:
“The initial backdoors were relatively simple, and would continually forward all SMS messages and call information back to the C2 servers. Later variants became much more complex, and included the ability to enumerate and exfiltrate specific files directly from the infected devices. All of the identified victims for the Android Trojans resided in Japan or South Korea. The infrastructure to support the Android campaigns was massive in comparison to previous operations. More than two hundred domains have been identified to date.”
In 2014, Cylance pegged Iran as “the new China” in a report announcing the existence of Operation Cleaver – a sophisticated information-stealing APT campaign targeting multiple countries.
Image credit: Sean Pavone / Shutterstock.com