Kaspersky uncovers Blue Termite

Read time 4min 10sec

Russian Internet security giant Kaspersky Lab's Global Research and Analysis Team has encountered a cyber espionage campaign that has been targeting hundreds of Japanese companies for at least two years.

Although the usual infection vector of an advanced persistent threat (APT) is through spear-phishing e-mails, the attackers behind the campaign, dubbed Blue Termite, look for proprietary information using a zero-day Flash player exploit and a sophisticated backdoor, that they customised for each target.

This is the first campaign known to Kaspersky Lab that is strictly focused on Japanese targets - and it is still active.

In addition, the company discovered several watering hole attacks, including one on a Web site belonging to a prominent member of the Japanese government. Watering Hole attacks happen when a particular group is targeted when the attacker notices which Web sites the group visits regularly and infects one or more with malware.

"We sent a notification e-mail to the admin and ISP of the affected site but didn't receive any reply. However, the malicious code was removed after about an hour," says Kaspersky Lab.

In October last year, the company encountered a malware sample it had never seen before, which set itself apart from its peers due to its complexity. Closer analysis revealed this sample is only a tiny part of a much bigger, highly sophisticated cyber espionage campaign.

Industries targeted by this campaign include governmental organisations, heavy industries, financial, chemical, satellite, media, educational organisations, medical, the food industry and others.

How it works

In order to infect their targets, the cyber criminals behind Blue Termite employ several techniques. Prior to July 2015, they primarily used spear-phishing e-mails - or a targeted e-mail scam to a specific victim, with the sole purpose of obtaining unauthorised access to sensitive data in the victim's organisation.

In July, however, the attackers changed their strategy and began spreading the malicious code via the zero-day Flash exploit CVE-2015-5119. In this way, several Japanese Web sites were compromised, exposing visitors to the sites to an drive-by download exploit which would automatically be downloaded upon visiting the site.

This change of tactics resulted in a significant spike in the infection rate, explains the company.

In addition, Kaspersky says there were attempts to profile the victims to ensure only chosen users would get infected. "One of the compromised Web sites belonged to a prominent member of Japanese government and another one contained a malicious script that would filter out visitors from all IPs except one belonging to a specific Japanese organisation."

Once the user was successfully infected, a sophisticated backdoor, capable of stealing passwords, downloading additional payloads and retrieving files, is deployed on their PC.

According to the company, Blue Termite is interesting, in so far as each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite author.

The company speculates that this has been done in order to make it difficult for security researchers to detect and analyse the malware.

Who's behind it?

The company says it does not know who is responsible for the attacks. "Attribution is a very complicated task when it comes to sophisticated cyber attacks."

However, the company's researchers did manage to collect some language artefacts, including the graphic user interface of the Command and Control server, and some technical documents related to the malware used in the Blue Termite operation are written in Chinese, meaning the attackers could be Chinese speaking.

Once the organisation had collected enough data to confirm that Blue Termite is a cyber espionage campaign targeting Japanese organisations, it informed local law enforcement agencies of findings. As the Blue Termite operation is still in progress, Kaspersky is continuing to investigate.

"Although Blue Termite is not the first cyber espionage campaign to target Japan, it is the first campaign known to Kaspersky Lab, to be strictly focused on Japan targets. In Japan it is still a problem. Since early June, when the cyberattack on the Japan Pension Service started to be widely reported, various Japanese organisations would have started to deploy protection measures. However, the attackers from Blue Termite, who might have kept a close eye on them, started to employ new attack methods and successfully expanded their impact," said Suguru Ishimaru, security researcher at Kaspersky Lab.

Login with