A team of researchers discovered an active cyber-espionage operation targeting the Afghan government. Presumably, a group of Chinese hackers is responsible for this operation. The attackers posed as members of the Afghan presidential administration in order to infiltrate the systems of the National Security Council (SNB), and also used Dropbox to cover their activities. Check Point Research believes this attack is the latest in a long-running operation that began back in 2014. Then Kyrgyzstan, Uzbekistan and other countries also became victims of cyber espionage.
- The attackers sent a bogus email urging them to urgently take action related to the upcoming SNB press conference.
- To cover up the traces of the crime, they used Dropbox. The API of this cloud service served as a command and control centre (C&C).
- The CPR team recorded the actions of the attackers, including access to files on the desktop, the introduction of a scan tool, and the execution of built-in Windows network utilities.
The team recorded an active cyber-espionage operation targeting the Afghan government. The espionage was allegedly carried out by a group of Chinese hackers called IndigoZebra. To infiltrate the systems of the Afghan National Security Council (SNB), they used the popular cloud storage Dropbox. As part of further investigation, CPR experts found out that this is the latest attack in a long-term campaign that has been carried out at least since 2014 and has also targeted other Central Asian countries – Kyrgyzstan and Uzbekistan.
The Check Point Research investigation began in April when an Afghan National Security Council official received an email purportedly from the presidential administration. The letter contained a request to urgently check the changes in the document related to the upcoming NSS press conference.
The Check Point Research team has summarized the cyber espionage methodology in the form of the following algorithm:
- Sending an email on behalf of a reputable organization. The attackers used tactics of deception at the level of two ministries – the email entered the organization with a high status from the mail addresses of the sender of the same level, who also fell victim to cybercriminals.
- Attachment of a malicious element. The hackers attached an archived file with malware to the letter under the guise of a safe attachment. In this case, the email contained a password-protected RAR archive named NSC Press conference.rar.
- Opening the first document. The NSC Press conference.exe file extracted from the archive acts as a dropper. It follows from the letter that the attached file is a document, so the victim launches the executable file without any doubts. Hackers use a simple trick: after the user launches the dropper, it opens the first document on the victim’s desktop. Even if no such document was found to open, the dropper proceeds to the next step – loading the backdoor.
- Using Dropbox as a command and control centre (C&C). The backdoor connects to a pre-configured folder in Dropbox, which is created separately for each victim. The backdoor receives further commands from the folder address and stores the stolen information on it.
Cybercriminals use the Dropbox API to disguise their malicious behaviour and do not communicate with suspicious sites. A hacker-configured backdoor creates a unique victim folder in a hacker-controlled Dropbox account. When they need to send a file or command to the compromised computer, they place it in the “d” subfolder of the victim’s Dropbox folder. The malware accesses this folder and downloads its contents to the working folder. To ensure persistence, the backdoor configures a registry key to run every time a user logs on to the system.
As part of this attack, Check Point Research specialists recorded the following actions:
- Download and run a scan tool that is used for targeted cyber attacks (APTs) by many hackers, including the active and successful Chinese hacker group APT10.
- Runs built-in Windows networking utilities.
- Access to the victim’s files, in particular – to documents on the desktop.
“Revealing the facts of cyber espionage is still a priority for us. This time, we found an ongoing, targeted campaign targeting the Afghan government, ”said Lotem Finkelsteen, Lead Cyber Threat Analyst at Check Point Software Technologies. “We have reason to believe that Uzbekistan and Kyrgyzstan have also become victims of these attacks. The information we have collected points to hackers from China. In this case, the attackers used an interesting tactic to deceive one ministry on behalf of another. This tactic is very aggressive and effective: any employee will rush to do everything that is asked of him. In our example, cybercriminals were able to perform a number of actions among top officials. Also, it is important to note that the hackers used Dropbox, to avoid detection. We should all keep this method in mind and take preventive measures. It is possible that this group of hackers also attacked other countries, although we do not yet know how many and which ones. For this reason, today we provide a list of domains that could be involved in the attack. We hope that their names will help cybersecurity professionals in further research that complements and builds on the information we have received. ”
Catch up on more articles here
Follow us on Twitter here