December 31, 2014 by

Top Cyberespionage Campaigns of 2014

Since it is the last day of the year, let’s have a look at this year’s top APT campaigns. This year surely was action-packed when it comes to various forms of hacking, data breaches, new malware, and related matters. Some of the most sophisticated cyberespionage campaigns have been revealed this year. Many of them so advanced, there is not a bit of doubt that they are state-backed. Although many new APTs were discovered, thinking of what is still out there and is rather disconcerting, considering how long many of these campaigns laid undiscovered. The list below contains an overview of the most notable campaigns of 2014.

REGIN – Regin APT is the undisputed king among APTs revealed in 2014.

Targets: Telecommunication operators, governments, financial institutions, research institutions – mainly with focus on mathematical, cryptographical research.
Countries: Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria and Russia.

Key Features:

  • Appears to be operation since 2003
  • Capable of compromising an entire victim network.
  • Incredibly complex, stealthy communication with C&C servers.
  • Contains module capable of mapping GSM structures – in 2008 gained complete control of one middle-eastern country’s GSM network.

DARKHOTEL– The Darkhotel operation was a well-executed execs-targeting cyberespionage campaign.

Targets: C-level officials and senior management, Marketing Directors, top R&D persons.
Countries: Main focus on Japan, Taiwan, China, Russia and South Korea.

Key Features:

  • Continuous use of zero-days targeting Interned Explorer and Adobe PDF and flash.
  • Use of both targeted attacks and botnets.
  • Advanced mathematical and crypto-analytical offensive capabilities.
  • Well-developed low level keyloggers within an effective and consistent toolset
  • Ability to compromise and maintain access to global networks of hotels over many years.

CLOUD ATLAS – Cloud Atlas turned out to be the notorious RedOctober cyberespionage campaign reborn.

Targets: Diplomatic organizations and government bodies.
Countries: Main focus on Russia, Kazakhstan, Belarus, India, and Czech Republic.

Key Features:

  • Many shared features with RedOctober – including same targets, spearphishing techniques, encryption, and more.
  • Implants utilize a rather unusual C&C mechanism – ability to restore access even if the C&C server is compromised.
  • Malware loader and a final payload that is stored, encrypted and compressed in an external file.

SANDWORM – Sandworm is the advanced cyberespionage group behind the NATO and Ukraine attacks.

Targets: Political bodies, governments, energy industry, suppliers of heavy power related materials, investors, academia, and high-tech.
Countries:   Russia, Ukraine, Poland, Lithuania, Belarus, Azerbaijan, Kyrgyzstan, Kazakhstan, Iran, Israel, Turkey, Libya, Kuwait, Taiwan, Vietnam, India, Croatia, Germany, Belgium, and Sweden.

Key Features:

  • Utilizing a modified version of the BlackEnergy criminal malware (BlackEnergy2) – every Sandworm attack in 2014 was carried out using BE2.
  • Ability to steal digital certificates, attack Cisco networking devices, and even to target ARM and MIPS platforms.
  • Protected their servers by keeping their non-Windows hacker tools and plug-in in separate servers or server folders.
  • Russian-speaking authors.

Although these were some of the most prominent cyberespionage campaigns of 2014, there were many other campaigns reported on in 2014, including the Epic Turla, the Russian APT28, APT3, and others.

Based on the current success of APTs concentrating on cyberespionage, it is likely that cybercriminals are already picking up on the benefits of stealthy, persistent presence. In 2015 we are likely going to see a wide-spread evolution in cybercrime campaigns – mimicking current espionage APT mechanics. Criminals are realizing that targeting end users is less effective than targeting, let’s say a bank, directly.


About the author

Image of Author

Ondrej Krehel is the CEO and Founder of LIFARS LLC, an international cybersecurity and digital forensics firm. He’s the former Chief Information Security Officer of Identity Theft 911, the nation’s premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters—from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal and The New York Times, among many others.

Related articles

Snapchat Phishing Attack Swipes Credentials of Over 50,000 USers

Details have emerged on a phishing attack which saw hackers steal the credentials of over 50,000...

Read more arrow_forward

$3 Million in Cryptocurrency: Hackers Pull Off “One of Biggest Mining Operations” Ever

Hackers targeting the servers of popular open source Java-based automation program Jenkins CI have...

Read more arrow_forward

Cyberattacks Cost Up to $109 Billion in 2016: White House Report

In a report on Friday, the White House Council of Economic Advisers estimated that malicious cyber...

Read more arrow_forward