Confidential documents from Japanese politics stolen by malware

Last December Japan Aerospace Exploration Agency was hit again by malware  that stolen secret information on newest rockets from an internal computer, it was not first time for the Japanese agency that was already victim of a cyber attack having same purpose, cyber espionage to obtain information on another technological advanced project related to the design of an unmanned vessel that ferries cargo to the International Space Station, the “H-2 Transfer Vehicle”.

Not only the industry is target of the offensives,  also internal politic class of the country is subject to continuous attacks, once again Japan ministry computers were infected by malware that suspected to have stolen more than 3,000 confidential documents,  many on global trade negotiations including the US-led Trans-Pacific Partnership multilateral trade pact.

The National Information Security Center of the Cabinet Secretariat traced anomalous outwards connections that used HTran tool.

Forensics experts discovered during the investigation that the attackers used “HTran” the Advanced Persistant Threat (APT) exploit kit to infect computers at country’s Ministry of Agriculture, Forestry and Fishery.

Dell’s security team reported that the authors of the malware are Chinese and it dated malware creation back to 2003, Dell Securwork post on the agent states:

“HTran (aka HUC Packet Transmit Tool) is a rudimentary connection bouncer, designed to redirect TCP traffic destined for one host to an alternate host. The source code copyright notice indicates that HTran was authored by “lion”, a well-known Chinese hacker and member of “HUC”, the Honker Union of China. The purpose of this type of tool is to disguise either the true source or destination of Internet traffic in the course of hacking activity.

Source code can be readily found on the Internet:

http://read.pudn.com/downloads199/sourcecode/windows/935255/htran.cpp__.htm 

The principal use for HTran is the camouflage of Command &Control (C&C) servers to hinder the discovery of the origin of the attack, so far the perpetrators of the attacks have not yet been identified.

For your information following is reported the list of the attacks that hit Japanese industries and institutions from 2011, personally I consider that the number of attacks is higher and due to the nature of the offensive many of them haven’t been discovered. These are without doubts cyber espionage operations, state-sponsored attacks, for which usually are used zero-day exploits to elude defense systems of the victims.

Many attacks were originated from China, the most active country in cyber espionage, the Elderwood project is the demonstration that groups of hackers are exploiting zero-day vulnerabilities to steal sensible information and to compromise control systems inside critical infrastructures.

 

 

Pierluigi Paganini

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cerber 5.0, ransomware)