The Poseidon group may be a local cyber-security firm

Feb 9, 2016 12:01 GMT  ·  By

By putting together different malware samples collected in the last eleven years, Kaspersky security researchers have uncovered the first-ever major cyber-espionage group rooted in Brazil, one that focuses on stealing corporate information and top-secret IP (Intellectual Property).

An APT (Advance Persistent Threat) is a group of hackers that launch cyber-attacks against a limited set of targets with the sole purpose of stealing data that can be leveraged for monetary gain or intelligence gathering. APT groups use highly targeted attacks, generally focus on one target at a time, and are very careful not to get exposed.

Most of the times, APT groups are state-sponsored players that secretly work with intelligence agencies to spy on other governments or companies that activate inside the borders of a specific country. But this doesn't mean that all APTs are secret tentacles of country's spy agencies.

The first APT group discovered activating from inside Brazil

As Kaspersky has revealed at the Security Analyst Summit (SAS 2016) held in Tenerife, Spain, there's an APT activating from Brazil that's not affiliated with the official government and seems interested in stealing information and infecting the IT networks of various countries or governments for its own gain.

Codenamed Poseidon due to the numerous Greek mythology terms used in the source code of their malware, this group has been active since 2005 and has targeted government institutions and companies activating in the energy and utilities, telecommunications, public relations, media, finance, and manufacturing sectors.

Kaspersky researchers say that the group exhibited a high degree of sophistication, deploying unique malware variants for each target they hacked and often disregarded C&C (command and control) servers after each operation.

This has allowed the group to go unnoticed for many years, even if its malware was detected by multiple security vendors, who, however, couldn't piece together all the clues.

To showcase the group's versatility, Kaspersky explains in one case, Poseidon hacked satellite uplinks so it could reach ships at sea.

Poseidon's malware is ordinary but used sparingly

In almost all cases, Poseidon relies on classic social engineering and spear-phishing tricks, sending a few very well-crafted emails to only a few individuals inside an organization.

These emails contain malicious RTF or DOC files that use automated macros to download the initial malware. This first infection allows the hackers to infect more nearby computers until they find local servers or domain controllers from where they can access more sensitive materials.

A crucial part in its malware arsenal plays the IGT (Information Gathering Tool) toolkit, which is only deployed in the attack's later stages, on the local servers and domain controllers, containing functions that aid the group in stealing desired data and then hiding their tracks.

Because Poseidon has been around for so many years, its malware portfolio includes variants that can attack a broad range of Windows versions, from Windows 95 to Windows 8.1, and all the Server variants in between.

The group is interested in its own monetary gains

As Kaspersky shows, most of the times, Poseidon seems interested in stealing proprietary information, technologies, and business information related to investments and stock valuations.

Most of the hacked companies are from Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia.

Poseidon's targets
Poseidon's targets

Besides robbing companies and presumably selling the data on the black market, the Poseidon group also seems to profit from their hacks directly.

"The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm," Kaspersky's GReAT team explains. "Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation."

Kaspersky states that they've found Poseidon malware samples in at least 35 companies and that their efforts into shutting down the campaign weren't successful due to the group's shifty tactics.

Poseidon detected malware samples
Poseidon detected malware samples

Photo Gallery (3 Images)

Poseidon is Brazil's first APT group
Poseidon's targetsPoseidon detected malware samples
Open gallery