The first APT group discovered activating from inside Brazil
As Kaspersky has revealed at the Security Analyst Summit (SAS 2016) held in Tenerife, Spain, there's an APT activating from Brazil that's not affiliated with the official government and seems interested in stealing information and infecting the IT networks of various countries or governments for its own gain.
Codenamed Poseidon due to the numerous Greek mythology terms used in the source code of their malware, this group has been active since 2005 and has targeted government institutions and companies activating in the energy and utilities, telecommunications, public relations, media, finance, and manufacturing sectors.
Kaspersky researchers say that the group exhibited a high degree of sophistication, deploying unique malware variants for each target they hacked and often disregarded C&C (command and control) servers after each operation.
This has allowed the group to go unnoticed for many years, even if its malware was detected by multiple security vendors, who, however, couldn't piece together all the clues.
To showcase the group's versatility, Kaspersky explains in one case, Poseidon hacked satellite uplinks so it could reach ships at sea.
Poseidon's malware is ordinary but used sparingly
In almost all cases, Poseidon relies on classic social engineering and spear-phishing tricks, sending a few very well-crafted emails to only a few individuals inside an organization.
These emails contain malicious RTF or DOC files that use automated macros to download the initial malware. This first infection allows the hackers to infect more nearby computers until they find local servers or domain controllers from where they can access more sensitive materials.
A crucial part in its malware arsenal plays the IGT (Information Gathering Tool) toolkit, which is only deployed in the attack's later stages, on the local servers and domain controllers, containing functions that aid the group in stealing desired data and then hiding their tracks.
Because Poseidon has been around for so many years, its malware portfolio includes variants that can attack a broad range of Windows versions, from Windows 95 to Windows 8.1, and all the Server variants in between.
The group is interested in its own monetary gains
As Kaspersky shows, most of the times, Poseidon seems interested in stealing proprietary information, technologies, and business information related to investments and stock valuations.
Most of the hacked companies are from Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia.
Besides robbing companies and presumably selling the data on the black market, the Poseidon group also seems to profit from their hacks directly.
"The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm,"
Kaspersky's GReAT team explains. "Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation."
Kaspersky states that they've found Poseidon malware samples in at least 35 companies and that their efforts into shutting down the campaign weren't successful due to the group's shifty tactics.
