G20 Summit Becomes Bait For Cyberespionage Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security


G20 Summit Becomes Bait For Cyberespionage Attacks


The upcoming G20 Summit in Russia is being used as a lure in a spate of APT-style attacks



With the G-20 Summit a little more than a week away, cyberattackers are using the conference as a theme as they target government and financial institutions.
According to Rapid7, multiple groups -- potentially originating in China -- are responsible for the attacks, including a prominent group known as the Calc Team or APT-12 that has been tied to an attack on
The New York Times.
Within the security community theres the firm belief that the Calc Team is an espionage group operating from China, which originally stood out due to the use of a peculiar algorithm used to calculate the connection details to their Command & Control servers (C&C) out of an initial DNS request,
blogs Rapid7
security researcher Claudio Guarnieri. [This] group has been tracked by researchers for years and is believed to be responsible of numerous attacks against government agencies, financial institutions and defense contractors.
The recent attacks all use the upcoming G20 conference -- scheduled for Sept. 5 and 6 in St. Petersburg, Russia -- as a theme for the bait. The first of the ongoing G20-themed attacks tied to the group was detected in May, and featured a PDF document outlining a development agenda for the Russian presidency, as well as a second document entitled Global Partnership for Financial Inclusion Work Plan 2013.
Both are clearly Windows executable files that try to disguise as PDF documents, the researcher notes. As commonly happen, no exploit has been used here and the attacker uniquely relied on social engineering the targets to open and execute the files contained in the archive. Upon execution, both these files extract an actual embedded PDF to the %Temp% folder and display them to the victim, in order to not raise suspicion.
Earlier this month, two more attacks tied to the group using other G20-themed booby-trapped documents were detected, as well. Once the malware is on the system, it is then used to download additional malware and log the keystrokes of users. In order to intercept keystrokes, the malware constantly loops through an embedded list of keys and checks the state for each key with GetKeyState Windows API. Currently, the command-and-control used by the attackers remains active.
Assuming that the chain of attribution to Calc is correct, its interesting to observe that despite major international exposure after The New York Times incident, the intrusion group/s behind these attacks is still operational and doesnt seem to have been affected by the sudden attention received by newspapers and researchers, Guarnieri blogs.
Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but its remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect, he adds. As also pointed out
by FireEye,
the creators of the malware seem to be actively changing things around in order to avoid detection by network defense layers, which combined with the lack of exploitation involved, it leaves a large responsibility on the targeted user to be able to recognize the social engineering attempt and isolate the attack.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact Dark Readings editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
G20 Summit Becomes Bait For Cyberespionage Attacks