- Joined
- May 15, 2016
- Messages
- 14,523
- Likes
- 2,645
- Points
- 1,730
Qihoo 360 Netlab analysts presented a report describing a large-scale hacker operation aimed at Kazakhstan. According to researchers, the hacker group Golden Falcon (or APT-C-34) was behind the many studied attacks. The victims of these incidents were not only private individuals, but also various companies and organizations: government agencies, private companies, the educational sector, as well as foreign diplomats, researchers, journalists, religious figures and government dissidents.
Experts say that the Golden Falcon group has great capabilities and resources: it can create its own hacker tools, buy a spyware, available on the market, and also invest in equipment to intercept radio communications. So, some attacks were based on classical phishing, while others suggested physical access to target devices, for which it was necessary to use people based directly in Kazakhstan.
And although Qihoo 360 Netlab experts believe that they discovered a previously unknown group, representatives of Kaspersky Lab told ZDNet that the Golden Falcon is probably the DustSquad group known to them, active since 2017. Interestingly, the DustSquad attacks were also aimed at Kazakhstan, but then the attackers used another malware.
Qihoo 360 Netlab experts explain that they were able to access one of the group’s managing servers and study its activities. So, they found the data stolen from the victims (mainly these were various documents extracted from hacked computers). All information was encrypted and placed in folders by city (each folder contained data about each infected host).
Experts managed to decipher these data, and thus victims were identified in 13 largest cities of Kazakhstan and not only. The report said the attackers also monitored foreign nationals in the country, including Chinese foreign students and Chinese diplomats.
Also, experts were able to understand what tools the group used. The two main tools turned out to be: a variation of RCS (Remote Control System) - a spy kit sold by the Italian developer HackingTeam; Harpoon backdoor Trojan seems to have been developed by the band itself.
It is emphasized separately that the Golden Falcon was armed with a fresh version of the RCS. Let me remind you that the Italian HackingTeam was hacked in 2015, and the company's tools were in the public domain. RCS version 9.6 leaked then, but according to researchers, hackers from Golden Falcon used RCS version 10.3. That is, spayvar, it seems, was purchased for a considerable amount of money from the supplier.
As mentioned above, Harpoon, apparently, is the group’s own development. The fact is that in other operations and incidents this malware was not seen. Chinese experts write that they somehow managed to get instructions for Harpoon.
In addition, experts found a number of contracts, apparently signed by the group. It is not specified whether these documents were found on a hacker server, or received from other sources. Among them, for example, were files related to the purchase of Pegasus mobile spivari. This is a powerful tool for hacking mobile devices on Android and iOS, created by the notorious NSO Group. The truth is unclear whether the deal was finally concluded, since the attackers did not seem to use Pegasus in their operations.
Another interesting feature of the Golden Falcon: researchers claim that the group was negotiating the purchase of equipment from defense contractor Yurion, which specializes in communication equipment, radio communications and the like. As with Pegasus, it is unclear whether the transaction was actually completed.
At the end of their report, analysts conclude that it is not certain to say “on behalf” of which country the Golden Falcon operates. The only thing the researchers are sure of is the Russian-speaking group
Experts say that the Golden Falcon group has great capabilities and resources: it can create its own hacker tools, buy a spyware, available on the market, and also invest in equipment to intercept radio communications. So, some attacks were based on classical phishing, while others suggested physical access to target devices, for which it was necessary to use people based directly in Kazakhstan.
And although Qihoo 360 Netlab experts believe that they discovered a previously unknown group, representatives of Kaspersky Lab told ZDNet that the Golden Falcon is probably the DustSquad group known to them, active since 2017. Interestingly, the DustSquad attacks were also aimed at Kazakhstan, but then the attackers used another malware.
Qihoo 360 Netlab experts explain that they were able to access one of the group’s managing servers and study its activities. So, they found the data stolen from the victims (mainly these were various documents extracted from hacked computers). All information was encrypted and placed in folders by city (each folder contained data about each infected host).
Experts managed to decipher these data, and thus victims were identified in 13 largest cities of Kazakhstan and not only. The report said the attackers also monitored foreign nationals in the country, including Chinese foreign students and Chinese diplomats.
Also, experts were able to understand what tools the group used. The two main tools turned out to be: a variation of RCS (Remote Control System) - a spy kit sold by the Italian developer HackingTeam; Harpoon backdoor Trojan seems to have been developed by the band itself.
It is emphasized separately that the Golden Falcon was armed with a fresh version of the RCS. Let me remind you that the Italian HackingTeam was hacked in 2015, and the company's tools were in the public domain. RCS version 9.6 leaked then, but according to researchers, hackers from Golden Falcon used RCS version 10.3. That is, spayvar, it seems, was purchased for a considerable amount of money from the supplier.
As mentioned above, Harpoon, apparently, is the group’s own development. The fact is that in other operations and incidents this malware was not seen. Chinese experts write that they somehow managed to get instructions for Harpoon.
In addition, experts found a number of contracts, apparently signed by the group. It is not specified whether these documents were found on a hacker server, or received from other sources. Among them, for example, were files related to the purchase of Pegasus mobile spivari. This is a powerful tool for hacking mobile devices on Android and iOS, created by the notorious NSO Group. The truth is unclear whether the deal was finally concluded, since the attackers did not seem to use Pegasus in their operations.
Another interesting feature of the Golden Falcon: researchers claim that the group was negotiating the purchase of equipment from defense contractor Yurion, which specializes in communication equipment, radio communications and the like. As with Pegasus, it is unclear whether the transaction was actually completed.
At the end of their report, analysts conclude that it is not certain to say “on behalf” of which country the Golden Falcon operates. The only thing the researchers are sure of is the Russian-speaking group