NetTraveler Surveillance Attack Widespread, Kaspersky Warns

The attacks use a surveillance toolkit Kaspersky calls NetTraveler and is believed to be behind myriad compromises from activists in Mongolia to individuals at oil and chemical refineries in India and Russia. Kaspersky researchers believe the earliest activity of the attack campaign dates back to 2004, but the NetTraveler tool has been more frequently used in cyberespionage attacks in the last several years.

"NetTraveler is designed to steal sensitive data as well as log keystrokes, and retrieve file system listings and various Office or PDF documents," according to Kaspersky.

[Related: Mandiant: Report Sending Chinese Cyberattackers Back To The Drawing Board? ]

The campaign, believed to be connected to attackers in China, uses vulnerabilities in Microsoft Office to initially compromise systems. Kaspersky said it estimates that at least 50 attackers are behind the cyberespionage campaign. The topics of interest of the NetTraveler group are wide-ranging and include space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications.

A key part of the attack was uploading the stolen data through a cloud hosting provider based in the United States. The attackers used FTP and VPN connections to transfer files securely through a server hosted by Orange, Calif.-based cloud hosting provider Krypt Technologies, which lists data centers in California, Virginia and Bangkok. Kaspersky Lab said it uncovered multiple command and control servers tied to the attack campaign in the United States, China and Hong Kong.

Krypt claims that it vets clients to weed out fraud and abuse of its server space. The verification process includes the requirement of a photo identification in addition to a valid credit card, said Mike Lee, general manager of support operations at Krypt Technologies.

Lee said Krypt has a proprietary system that monitors its systems for network traffic that would signal potential malicious activity. It also responds to subpoenas and warrants requesting information on clients or a shutdown of operations, Lee said. "We have a vigorous monitoring system before they can order a server from us," Lee said. "When malicious activity is detected and we have enough documentation that it is violating our terms of service, we will shut it down."

NetTraveler gets its name from an internal string present in the earliest versions of the malware: “NetTraveler Is Running!” The methods of the attackers are simple but effective, Kaspersky Lab said. The initial attack begins with a spear phishing email.

The security vendor's research arm identified more than 30 command and control servers the malware frequently used in the attacks, and the other files and artifacts left after a compromise has taken place. As part of the attack, a NetPass module is typically installed with keylogger functionality capable of recording all of the victim's keystrokes.

The attacks continue, according to Kaspersky, which sinkholed a command and control server and identified new victims in Mongolia, South Korea and India. Logs on the server taken over by Kaspersky date back to 2009, the firm said.

The majority of victims are identified as diplomatic, followed by government agencies and military targets. Private companies also make up the bulk of victims and include industrial firms and manufacturers. Stolen data is stored on the command control servers in plain text, without encryption or other code obfuscation mechanisms, Kaspersky said.

"By publishing this report we would like to raise awareness of all organizations and individuals who might become a victim of these attackers," Kaspersky Lab said. "We would like to encourage people of all countries to learn something from this report, check their systems and be prepared for potential future cyberattacks against them."

Kaspersky Lab noted an overlap of infections with the Red October cyberespionage campaign identified by Kaspersky in January. The malware used in Red October, which had a component that infiltrated a victim's mobile device, was found on some NetTraveler victim systems, Kaspersky Lab said, but added that the researchers could find no other connection among the attacks.

PUBLISHED ON JUNE 4, 2013