Cybercriminals are going to war against each other, a rare and unusual occurrence observed by Kaspersky Lab.
In 2014, a small technically unremarkable hacking group called Hellsing was subjected to a spear-phishing attack by another threat actor. After this attack, Hellsing decided to strike back and launched a counter-attack.
Kaspersky Lab believes that this could mark the emergence of a new trend in criminal cyber activity: the APT wars.
Discovered thanks to research into the cyberespionage group Naikon, Kaspersky Labs experts noticed that one of Naikon’s targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment.
The target questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter the target forwarded to the sender an email containing the target’s own malware.
This movement triggered Kaspersky Lab’s investigation and led to the discovery of the Hellsing APT group.
The method of counter-attack indicates that Hellsing wanted to identify the Naikon group and gather intelligence on it.
Further investigation into the Hellsing threat actor has revealed s a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organisations.
If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself.
According to Kaspersky Lab’s observations, the number of organisations targeted by Hellsing is close to 20. The Hellsing malware has been picked up predominately in Malaysia and the Philippines, though it has also been spotted in India, Indonesia and the US.
The Hellsing threat actors seem to be selective in their attack attempts, attempting to infect mostly government and diplomatic entities.
"The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting, "Empire Strikes Back" style, is fascinating. In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists." Commented Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab.
"However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," Raiu concluded.
According to Kaspersky Lab analysis, the Hellsing threat actor has been active since at least 2012 and remains active.