Red Star: Another advanced hacking crew from China is revealed

red star victims

This post is also available in: עברית (Hebrew)

red star victims
red star victims

In the spirit of last February’s report by Mandiant detailing the exploits of a Chinese-government-linked hacker group, Russian IT security giant Kaspersky Lab today released a report on another sophisticated Chinese cyber-espionage outfit, dubbed the Red Star APT (Advanced Persistent Threat) by the lab.

According to the lab, this advanced hacker group of about 50 people has been active since at least 2005, possibly 2004, and has invaded the networks of more than 350 “high profile” victims ranging from Tibetan and Uyghur freedom activists to government agencies, embassies, universities, defense contractors, and oil companies in 40 countries using “covert surveillance” and espionage software called NetTraveler. (The name sounds so innocent, doesn’t it?)

i-HLS ISRAEL Homeland Security 

Specifically, NetTraveler is delivered via a malicious Microsoft Office file inside a spearphishing email. Once installed on a machine, it steals sensitive data from victims’ machines, records victims’ keystrokes, and “retrieves” Microsoft Office files or PDF documents, according to Kaspersky. The malware is often used in conjunction with other cyberspy tools.

One of the best details about NetTraveler that Kaspersky listed in its report is the fact that it takes advantage of an old flaw in Microsoft Office, one the Seattle-based company issued a patch for a while ago. Nevertheless, poor network hygiene allowed the malware into victims’ networks.

“It is therefore surprising to observe that such unsophisticated attacks can still be successful with high-profile targets,” notes the lab’s report on Red Star, pointing out that, by not updating their software, the victims basically did some of the attackers’ work for them — they left the digital gate unlocked. Six of the victims were even infected by the Red October malware we told you about last fall.

“It’s kind of shocking that government institutions, diplomatic institutions that have been warned they were infected, they don’t do anything about it,” said Costin Raiu, director of the lab’s global research and analysis team, today during a cybersecurity forum in Washington that his company sponsored.

So, just what does the Red Star crew appear to be looking for? Sixty percent of its targets are government embassies, militaries, and other government agencies. The rest are predominantly research institutions, manufacturing firms, and aerospace businesses. The victims are also predominantly located in Asia, with Mongolia topping that list as the host of 29 percent of victims, followed by Russia (19 percent) India (11 percent), Kazakhstan (11 percent) and Kyrgyzstan (5 percent).

red star victim breakdown
red star victim breakdown

Among the information the Red Star gang is looking to steal is data on nanotechnology, lasers, aerospace technology, drilling gear, radio wave weapons, nuclear power, and communications tech, according to the lab.

Red Star recruits young hackers without a lot of technical expertise “who simply follow instructions” on how to develop and release NetTraveler on a set of targets they are given, Raiu said today. “They get a toolbox, they get instructions, they get the Trojans [malware] and they get a target — 20, 25, up to 30 different targets they need to attack. Just one single successfully completed project can actually pay their monthly expenses.”

The lab doesn’t come out and say that Red Star APT is affiliated with the Chinese government, only going so far as to say it is a “medium-sized threat actor group from China.” However, a number of factors suggest it might be. NetTraveler was developed by someone with native Chinese language skills, and IP addresses traced by Kaspersky are in China. What’s more, the victims are either businesses in sectors that China wants to excel in, political groups the Chinese government wants to keep tabs on, or government organizations. That being said, Red Star could just be “a non-government hacker group who steals IP and sells to whoever is buying,” Jeffrey Carr, CEO of cybersecurity firm TAIA Global noted on Twitter last night.