APT campaign targeting government organizations in APAC uncovered

The espionage operation is targeting government organizations in the Asia-Pacific (APAC) region. These findings are detailed in Kaspersky's latest report on the APT (Advanced Persistent Threat) landscape for Q3 2023.

Specifically, Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a long-running espionage campaign conducted by a previously unseen attacker. The attacker has been secretly monitoring and collecting sensitive data from APAC government organizations by exploiting encrypted USB drives, protected by hardware encryption to ensure secure storage and transfer of data between computer systems. These USB drives are used by government organizations around the world, increasing the likelihood that more organizations will fall victim to these attacks in the future.

The campaign uses a variety of malicious modules that allow attackers to gain full control over the victim’s device. This allows them to execute commands, collect files and information from compromised machines, and infect other machines using the same or a different type of encrypted USB drive. Additionally, the APT is adept at deploying other malicious files onto infected systems.

“Our research shows that the attack uses highly sophisticated tools and techniques, including virtualization-based software encryption, low-level communication with USB drives using direct SCSI commands, and self-replication via connected encrypted USBs. These operations are carried out by a highly skilled and sophisticated threat actor with a deep interest in espionage activities in sensitive and protected government networks,” said Noushin Shabab, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

To prevent the risk of becoming a victim of a targeted attack, Kaspersky researchers recommend taking the following measures:

• Regularly update your operating system, applications, and anti-virus software to stay protected from potential vulnerabilities and security risks.
• Be cautious of emails, messages, or calls asking for sensitive information. Verify the identity of the person requesting information before sharing personal data or clicking on suspicious links.
• Provide access to the latest threat intelligence for your Security Operations Center (SOC). Kaspersky Threat Intelligence Portal is Kaspersky's single point of access for threat intelligence and cyberattack data.