We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Cyber espionage campaign targets energy companies

Signs suggest campaign carried out by group that attacked RSA

Hackers using a Remote Access Trojan (RAT) named Mirage have been engaged in a systematic cyber espionage campaign against a Canadian energy company, a large oil firm in the Philippines and several other entities since at least this April, Dell's SecureWorks Counter Threat Unit says.

The campaign is the second one targeted at oil companies to be discovered by SecureWorks this year. In February, researchers at the firm discovered attackers using remote access tools similar to Mirage to target several oil companies in Vietnam. That campaign also targeted government agencies in several countries, an embassy, a nuclear safety agency and multiple business groups, according to SecureWorks.

The domains for three of the command and control (C&C) servers used to control Mirage and for several of the C&C servers used in the February campaign, appear to belong to the same individual or group of individuals, SecureWorks said.

Also noteworthy is the fact that the IP addresses for the command and control servers used for Mirage and in the February campaign belong to China's Beijing Province Network. The same network was also implicated in last year's attacks on security vendor RSA that resulted in the theft of confidential information related to the company's SecurID two-factor authentication technology.

Command and control servers associated with the 2009 GhostNet campaign that targeted government computers in more than 100 companies also used IP addresses in the same network. The evidence suggests that the same group of people is behind the sweeping cyber espionage campaigns, SecureWorks researchers Joe Stewart said today.

The latest Mirage campaign has so far impacted companies in Canada, the Philippines, a military organization in Taiwan and several unidentified entities in Nigeria, Egypt, Brazil and Israel, Stewart said.

The Mirage malware program itself is very crafty and is designed to evade easy detection, according to SecureWorks. All of its communications with its command and control servers are disguised to appear like the URL traffic pattern associated with Google searches.

Those behind the espionage have used phishing emails to trick mid-level to senior executives at the targeted companies to click on attachments containing malware for installing Mirage on their systems. One of the emails used in the campaign for instance, contained a pdf of a news story about Yemeni women being eligible to participate in that country's elections.

Over the past few months, researchers at SecureWorks discovered several customized variants of Mirage designed to evade detection by anti-virus and anti-malware programs

"One of the variants was seen in a subset of samples that had been modified specifically for the environment targeted by the threat actors," SecureWorks analyst Silas Cutler wrote in the alert. "These samples had been configured with default credentials for the targeted environment's web proxy servers," he noted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model