Blue Termite APT group focuses on Japanese organizations

Security experts at Kaspersky Lab have analyzed the cyber attacks run by the Blue Termite APT, a hacking crew group focused on Japanese organizations.

According to the experts at Kaspersky security firm, an ATP group dubbed Blue Termite has been active since at least November 2013 focusing its attacks on Japanese organizations. The Blue Termite APT crew hit also other organizations worldwide, but most of its control infrastructure (C&C servers) are located in Japan.

The list of targets is long and includes government agencies, financial services firms, banks, universities, public interest groups, news companies, and various organizations from sectors such as automotive, healthcare, chemical, electrical, real estate, food, construction, insurance, transportation, robotics, semiconductors, and information services.

According to the experts the Blue Termite APT is responsible for the recently data breach suffered by the Japan Pension Service that exposed personal details of 1.25 million people.

The researcher noticed a spike in the number of infection related the Blue Termite since July, the APT is still active. In July the group start leveraging a Flash Player exploit (CVE-2015-5119) leaked following the Hacking Team hack, the APT used the Flash Player exploit in spear-phishing emails to infect victims before its public disclosure.

In July, the Blue Termite hackers deployed the Hacking Team exploit on several compromised Japanese websites in order to deliver the malware for its campaign via drive-by-download attacks.

In some cases, the APT conducted surgical operation infecting only the computers of certain users, they adopted the watering hole attack against a prominent member of the Japanese government.

In another case the Blue Termite hackers used a script to ensure that only users who visited the compromised website from the IP addresses of a certain Japanese organization would be infected.

Blue Termite has been leveraging customized data stealer belonging the Emdivi family.

“Kaspersky Lab detected the tailored malware, “emdivi t20″. This malware is basically used after the infection by emdivi t17 that serves as a backdoor. Although the versions emdivi t17 and emdivi t20 are from the same emdivi family, the latter is more sophisticated.” states the post published on SecureList.

“One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor,” Kaspersky said.

The attribution is not simple dealing with APT, but experts at Kaspersky speculate the attackers are likely Chinese speakers.

Kaspersky isn’t the unique firm that analyzed the Blue Termite APT, Symantec has also been monitoring it, in November 2014 the company published a report on a cyber espionage campaign dubbed “CloudyOmega.”

Symantec reported that the APT group behind the CloudyOmega operation is linked with the Hidden Lynx APT and the threat actor responsible for the “LadyBoyle” attacks.

Trend Micro also published a report on the APT.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Blue Termite, APT)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.