Criminal crew Hellsing strikes back after attack by a rival APT group

The elite cyber crime group Hellsing strikes back after attack by the rival APT crew known as Naikon. This is the first documented case of APT-on-APT attack.

What happens when an APT group running a cyber espionage campaign target a second distinct APT group?

The events occurred last year, when a group involved in a cyber espionage campaign dubbed Hellsing sent a spear phishing email to a rival hacking team, the Naikon APT, which is one of the Asian largest APT gangs.

“The email in this case originates from a government email … and is directed to the Naikon attackers. They decided to strike back at the attacker, a spy-on-spy sort of move,” explained Costin Raiu, head of Kaspersky’s global research and analysis team. “They [Hellsing] are interested in infecting other APTs and learning about their operations,” 

Naikon ATP has been active for several years, its operations targeted entities in various industries including governments and the military. The hacking crew targeted diplomats, law enforcement, and aviation authorities in many Asian countries such as the Philippines, Malaysia, Cambodia, and Indonesia.

The singular discovered was made by experts at Kaspersky Team that provided a detailed analysis of the attack. The Hellsing APT attached a payload used to serve a powerful malware that infects the victim’s PC.

Researchers at Kaspersky Lab explained that Hellsing surgically selected about 20 organizations, limiting its operation to the US, Malaysia, the Philippines, Indonesia, and India. The name Hellsing comes from the project title left by a developer in a malicious source code used by the hacking team.

Experts at Kaspersky consider very singular the circumstance and believe that it could be the beginning of a new dangerous trend in the criminal ecosystem, they defined the activities as the APT-on-APT attacks.

“The targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. But, considering the timing and origin of the attack, the current case seems more likely to be an APT-on-APT attack.” reports the analysis published by Kaspersky.

The battle between the two APT groups began last February when Naikon run a spear phishing campaign on a number of adversaries, including the Hellsing. On the other end, the Hellsing group once discovered the malicious campaign and its source started its counteroffensive.

In March 2014, a few weeks after Naikon targeting other APT groups, including the Hellsing APT, the team launched a spear phishing campaign on most of the countries involved in the search for the disappeared Malaysia Airlines Flight MH370. The campaign targeted a wide range of entities, including institutions with access to information related to the disappearance of MH370.

The analysis of the command and control infrastructure revealed that Hellsing has ties to fellow other groups, including PlayfulDragon, Mirage, Vixen Panda, Cycldek and Goblin Panda.

I suggest you carefully read this report that details an operation that is considered the first APT-on-APT attack that has been witnessed by the experts.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  APT, Hellsing)

[adrotate banner=”5″]

[adrotate banner=”13″]

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

2 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

13 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

18 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

23 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.