Cybersecurity is an area of great concern in business as well as government circles. Internet security experts have identified a major cyberespionage activity in India. Recently, IT security firm Kaspersky Lab made a startling revelation that a fairly new and previously unknown cyberespionage group, called Danti, may already have full access to internal networks in Indian government organisations. Another report by Trend Micro said that under data breaches, the healthcare industry (26.9%) is the most affected sector, followed by education (16.8%), government (15.9%), retail (12.5%) and finance (9.2%) sectors. More on it later, first a look at the modus operandi of the Danti cyberespionage group.
The attackers are infecting the networks with malware to create channels for themselves to pass off the data. The Moscow-based internet security solutions firm Kaspersky Lab’s Global Research and Analysis Team has been tracking the racket for the last few months, estimates that the attackers might have full access to internal networks in Indian government organisations.
Kaspersky Lab officials informed that the exploit is delivered through spear-phishing emails. In order to attract the attention of potential victims, the threat actors behind Danti have created emails in the names of several high-ranking government officials. Once the exploitation of the vulnerability takes place, the Danti backdoor is installed and this subsequently provides the threat actor with access to the infected machine so they can withdraw sensitive data.
The origin of Danti is unknown, but Kaspersky Lab researchers have reason to suspect that the group is somehow connected to the Nettraveler and DragonOK groups. It is believed that Chinese-speaking hackers are behind these groups. According to Kaspersky Security Network, some Danti Trojans have also been detected in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. Its activity was first spotted at the beginning of February and continued through March to the present day.
“We expect to see more incidents with this exploit, and we continue to monitor new waves of attacks and relationship with other attacks in the region. Waves of attacks conducted with the help of just one vulnerability suggests two things: firstly, that threat actors tend not to invest many resources into the development of sophisticated tools, like zero-day exploits, when 1-day exploits will work almost as well. Secondly, that the patch-adoption rate in the target companies and government organisations is low. We urge companies to pay closer attention to patch-management in their IT infrastructure in order to protect themselves from known vulnerabilities,” said Alex Gostev, chief security expert at Kaspersky Lab Research Centre in APAC.
According to Trend Micro officials, 2015 offered no respite from data breaches in the healthcare industry. Protected health information (PHI) of 80 million American consumers, including names, addresses, birth dates, income data, and social security numbers were compromised. Breaches have also found their way to the federal level. “These high-profile incidents are consistent with our data breach analysis. Other sectors also include education, retail, and finance,” officials said.
Is there a way forward? Trend Micro officials said that remote device wipe, disk encryption, the use of virtual infrastructure, and enforcement of stricter policies can help mitigate such cases.“System administrators need solutions that allow them to monitor network traffic across all ports to spot any anomalies and prevent attackers before they can advance.
Custom sandboxing, on the other hand, would give them the capabilities needed to single out malware,” they said.
The Trend Micro Smart Protection Network blocked over 52 billion threats in 2015, a 25% decrease from 2014. This
decrease is consistent with the downward trend of system infections since 2012, caused by attackers who have become more selective as well as the shift in technologies they use.