View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Leadership
  2. Strategy
April 15, 2015

Hackers go head to head, igniting the APT Wars

Hacker group Hellsing deployed counter-attack against Naikon's spear-phishing attempt.

By Ellie Burns

Cybercriminals are going to war against each other, a rare and unusual occurrence observed by Kaspersky Lab.

In 2014, a small technically unremarkable hacking group called Hellsing was subjected to a spear-phishing attack by another threat actor. After this attack, Hellsing decided to strike back and launched a counter-attack.

Kaspersky Lab believes that this could mark the emergence of a new trend in criminal cyber activity: the APT wars.

Discovered thanks to research into the cyberespionage group Naikon, Kaspersky Labs experts noticed that one of Naikon’s targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment.

The target questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter the target forwarded to the sender an email containing the target’s own malware.

This movement triggered Kaspersky Lab’s investigation and led to the discovery of the Hellsing APT group.

The method of counter-attack indicates that Hellsing wanted to identify the Naikon group and gather intelligence on it.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Further investigation into the Hellsing threat actor has revealed s a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organisations.

If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself.

According to Kaspersky Lab’s observations, the number of organisations targeted by Hellsing is close to 20. The Hellsing malware has been picked up predominately in Malaysia and the Philippines, though it has also been spotted in India, Indonesia and the US.

The Hellsing threat actors seem to be selective in their attack attempts, attempting to infect mostly government and diplomatic entities.

"The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting, "Empire Strikes Back" style, is fascinating. In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists." Commented Costin Raiu, Director of Global Research and Analyst Team at Kaspersky Lab.

"However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," Raiu concluded.

According to Kaspersky Lab analysis, the Hellsing threat actor has been active since at least 2012 and remains active.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.