View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Leadership
  2. Strategy
April 15, 2015

Hackers go head to head, igniting the APT Wars

Hacker group Hellsing deployed counter-attack against Naikon's spear-phishing attempt.

By Ellie Burns

Cybercriminals are going to war against each other, a rare and unusual occurrence observed by Kaspersky Lab.

In 2014, a small technically unremarkable hacking group called Hellsing was subjected to a spear-phishing attack by another threat actor. After this attack, Hellsing decided to strike back and launched a counter-attack.

Kaspersky Lab believes that this could mark the emergence of a new trend in criminal cyber activity: the APT wars.

Discovered thanks to research into the cyberespionage group Naikon, Kaspersky Labs experts noticed that one of Naikon’s targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment.

The target questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter the target forwarded to the sender an email containing the target’s own malware.

This movement triggered Kaspersky Lab’s investigation and led to the discovery of the Hellsing APT group.

The method of counter-attack indicates that Hellsing wanted to identify the Naikon group and gather intelligence on it.

Content from our partners
The growing cybersecurity threats facing retailers
Cloud-based solutions will be key to rebuilding supply chains after global stress and disruption
How to integrate security into IT operations

Further investigation into the Hellsing threat actor has revealed s a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organisations.

If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself.

According to Kaspersky Lab’s observations, the number of organisations targeted by Hellsing is close to 20. The Hellsing malware has been picked up predominately in Malaysia and the Philippines, though it has also been spotted in India, Indonesia and the US.

The Hellsing threat actors seem to be selective in their attack attempts, attempting to infect mostly government and diplomatic entities.

"The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting, "Empire Strikes Back" style, is fascinating. In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists." Commented Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab.

"However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," Raiu concluded.

According to Kaspersky Lab analysis, the Hellsing threat actor has been active since at least 2012 and remains active.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy