Confidential documents from Japanese politics stolen by malware

Pierluigi Paganini January 05, 2013

Last December Japan Aerospace Exploration Agency was hit again by malware  that stolen secret information on newest rockets from an internal computer, it was not first time for the Japanese agency that was already victim of a cyber attack having same purpose, cyber espionage to obtain information on another technological advanced project related to the design of an unmanned vessel that ferries cargo to the International Space Station, the “H-2 Transfer Vehicle”.

Not only the industry is target of the offensives,  also internal politic class of the country is subject to continuous attacks, once again Japan ministry computers were infected by malware that suspected to have stolen more than 3,000 confidential documents,  many on global trade negotiations including the US-led Trans-Pacific Partnership multilateral trade pact.

The National Information Security Center of the Cabinet Secretariat traced anomalous outwards connections that used HTran tool.

Forensics experts discovered during the investigation that the attackers used “HTran” the Advanced Persistant Threat (APT) exploit kit to infect computers at country’s Ministry of Agriculture, Forestry and Fishery.

Dell’s security team reported that the authors of the malware are Chinese and it dated malware creation back to 2003, Dell Securwork post on the agent states:

“HTran (aka HUC Packet Transmit Tool) is a rudimentary connection bouncer, designed to redirect TCP traffic destined for one host to an alternate host. The source code copyright notice indicates that HTran was authored by “lion”, a well-known Chinese hacker and member of “HUC”, the Honker Union of China. The purpose of this type of tool is to disguise either the true source or destination of Internet traffic in the course of hacking activity.

Source code can be readily found on the Internet:

http://read.pudn.com/downloads199/sourcecode/windows/935255/htran.cpp__.htm 

The principal use for HTran is the camouflage of Command &Control (C&C) servers to hinder the discovery of the origin of the attack, so far the perpetrators of the attacks have not yet been identified.

For your information following is reported the list of the attacks that hit Japanese industries and institutions from 2011, personally I consider that the number of attacks is higher and due to the nature of the offensive many of them haven’t been discovered. These are without doubts cyber espionage operations, state-sponsored attacks, for which usually are used zero-day exploits to elude defense systems of the victims.

Many attacks were originated from China, the most active country in cyber espionage, the Elderwood project is the demonstration that groups of hackers are exploiting zero-day vulnerabilities to steal sensible information and to compromise control systems inside critical infrastructures.

 

     
Mitsubishi Heavy Industries (defense contractor) August 2011 Companies networks infected by malware that sent outside information on defense systems.
Japan’s lower house of parliament October 2011 cyber espionagecampaign originated from China exposed sensible information at least a month.The infection was possible thanks phishing campaign against Lower House member started in July. Also in this case a malware was used for the attack.
Japan Aerospace Exploration Agency January 2012 Malware infected a data terminal at Japan’s space agency stealing sensitive information including data related to H-2 Transfer Vehicle
The Japanese Finance Ministry July 2012 The Japanese Finance Ministry declares that its computers have been infected with a virus in the from 2010 to 2011 causing leaks of information.

 

Pierluigi Paganini

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cerber 5.0, ransomware)



you might also like

leave a comment