DARKUNIVERSE —

Tipped off by an NSA breach, researchers discover new APT hacking group

DarkUniverse went undetected for at least 8 years. The NSA finally outed it.

Tipped off by an NSA breach, researchers discover new APT hacking group

With a tip that came from one of the biggest breaches in US National Security Agency history, researchers have discovered a new hacking group that infected targets with a previously unknown piece of advanced malware.

Hints of the APT—short for advanced persistent threat—group first emerged in April 2017. That's when a still-unidentified group calling itself the Shadow Brokers published exploits and code developed by, and later stolen from, the NSA. Titled "Lost in Translation," the dispatch was best known for publishing the Eternal Blue exploit that would later power the WannaCry and NotPetya worms that caused tens of billions of dollars' worth of damage worldwide. But the dump included something else: a script that checked compromised computers for malware from a variety of APTs.

Researchers from Kaspersky Lab said one of the APTs described in the script started operations no later than 2009 and then vanished in 2017, the same year the Shadow Brokers post was published. Dubbed DarkUniverse, the group is probably tied to ItaDuke, a group that has actively targeted Uyghur and Tibetans since 2013. The link assessment is based on unique code overlaps in both groups' malware.

Going to great lengths

Digging further into DarkUniverse, the researchers found that the group went to great lengths to infect and surveil its targets. For instance, spearphishing emails were prepared separately for each target to ensure they grabbed recipients' attention and induced them to open an attached Microsoft document. Additionally, the full-featured malware was developed from scratch and evolved considerably over the eight-year span of the group's known existence. Each malware sample was compiled immediately before being sent to include the latest available version of the executable.

"The attackers were resourceful and kept updating their malware during the full life cycle of their operations, so the observed samples from 2017 are totally different from the initial ones from 2009," Kaspersky researchers wrote in a post published on Tuesday. "The suspension of its operations may be related to the publishing of the 'Lost in Translation' leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations."

DarkUniverse's modular malware was capable of collecting a wide range of information about the user and the infected system over an extended period of time. Data collected included:

  • Keyboard input
  • Email conversations
  • Credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and Windows Live Mail, Windows Live Messenger, and the Internet Cache
  • Screenshots
  • Files from specific directories
  • Data from remote servers and shared resources
  • A list of files of remote servers if specified credentials are valid
  • Information from the Windows registry

The malware also had the ability to change DNS settings, perform basic man-in-the-middle attacks, and download and execute files. Control servers were mostly stored on a mydrive.ch cloud storage service. DarkUniverse operators created a new account, along with additional malware modules and configuration files, for each target.

The researchers know of 20 infected targets geolocated in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates. The targets were both civilian and military organizations. The researchers suspect the number of infections between 2009 and 2017 was much higher.

Channel Ars Technica