A previously unknown and sophisticated hacking group has engaged in highly targeted cyber-espionage against a host of South American and Asian governments since at least early 2015, according to new research from Symantec.
The hacking group called Sowbug, named after a sneaky but successful critter, has been conducting highly targeted attacks, according to Symantec, against organizations and governments in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia.
Judging by the incidents being investigated, Sowbug’s goal appears to be very specific information on foreign policy and diplomacy in South America and Southeast Asia. It’s an exceptional event because this type of espionage is relatively rare in those regions, compared with North America, Europe and other areas of Asia.
Sowbug has been successful in attacks against targeted foreign ministries, the U.S.-based Symantec said. The targeted governments and organizations have been informed of the breaches, the company said, and several are currently investigating to see if further infections occurred.
No one knew it at the time, but Sowbug was first publicly detected earlier in 2017 when the cybersecurity firm Forcepoint found a low-profile piece of malware it dubbed the Felismus remote access trojan (RAT). Felismus is custom-built, modular, well-written and scarce in the wild. Researchers also noted a high level of execution and strong operational hygiene from the attackers using Felismus.
Researchers don’t know who is behind Sowbug but have pointed out that the targets are all of interest to nation-state actors more than criminal threats.
“The tools they use are sophisticated,” Alan Neville, threat intelligence analyst at Symantec, told CyberScoop. He noted the modular nature of Felismus, and how it allows attackers to “extend the functionality of the backdoor” they implant on infected machines.
“It was also clear the attackers went to great lengths to remain under the radar in that they were only active within these organizations outside of standard working hours,” Neville said. “So, for example, they ensured they only moved across networks and steal information long after employees would normally be home so as not to tip off anyone that they were trying to move around the network.”
Sowbug managed to maintain presence on targeted networks for months at a time. Symantec knows of one instance where the hackers stayed on the target’s network for six months.
Analysts from the cybersecurity firm AlienVault said Felismus’s creators “appear to be quite skilled at hiding their tracks” and pointed to the malware detecting and avoiding popular antivirus software, impersonating commonly used software packages, twice-encrypted communications with command and control servers meant to appear to be normal web browsing and shopping traffic, obfuscated code and the active maintenance of the malware and dependent libraries.
After Felismus was first publicly outed earlier this year, Sowbug swiftly shut down some of the spotlighted infrastructure. The attackers likely moved to additional infrastructure, Neville said.
The Felismus backdoor, used to execute code on infected machines, is not Sowbug’s only tool.
“We’ve also been able to find another tool we’ve dubbed Starloader,” Neville said. “This tool is basically used to deploy and install the Felismus backdoor onto these hosts. We’ve identified additional tools as well used to move across networks, keyloggers and credential dumping tools suck as Mimikatz that we’ve seen.”
The attacker’s identity and the malware’s distribution method remains unclear.