Cyberespionage campaign 'NetTraveler' siphoned data from hundreds of high-profile targets, researchers say

The operation compromised government institutions, companies and activists from around the world, researchers from Kaspersky Lab said

An ongoing cyberespionage campaign compromised over 350 high-profile victims from more than 40 countries over the past eight years, including political activists, research centers, governmental institutions, embassies, military contractors and private companies from various industries.

Researchers from antivirus vendor Kaspersky Lab named the campaign NetTraveler, after a string found in the main data stealing malware associated with the attacks.

The largest number of NetTraveler malware samples was created between 2010 and 2013, but the earliest samples identified have time stamps from 2005 and there's some evidence that the malware has been active since 2004, the Kaspersky researchers said Tuesday in a blog post.

NetTraveler, also known as Travnet, is designed to steal documents, primarily DOC, XLS, PPT, RTF and PDF, and to perform basic computer surveillance. However, some configurations target extended lists of files, including those with extensions like CDR, which are associated with Corel Draw, or DWG, DXF, CDW and DWF, which correspond to AutoCAD projects.

In addition to the NetTraveler malware, the attackers behind this campaign also used other backdoor-type malware including Saker, also known as Xbox, and PCRat, also known as Zegost.

The primary attack method consists of spear-phishing emails carrying malicious documents that exploit two remote code execution vulnerabilities that affect Microsoft Office, namely CVE-2012-0158 and CVE-2010-3333, in order to install the malware.

These vulnerabilities were fixed by Microsoft in 2012 and 2010 respectively, but they are still effective against targets that haven't deployed the patches and are commonly exploited to infect computers in targeted attacks, the Kaspersky researchers said in a report about the cyberespionage campaign released Tuesday.

There is no evidence that the NetTraveler attackers used advanced techniques like the exploitation of zero-day -- previously unknown -- vulnerabilities or sophisticated malware like rootkits, the researchers said. "It is therefore surprising to observe that such unsophisticated attacks can still be successful with high profile targets."

Based on an analysis of infection logs from several of the command and control (C&C) servers associated with this campaign that show activity going back to 2009, the Kaspersky researchers identified over 350 victims. However, considering that there are other C&C servers from where logs have not been obtained, the total number of victims is estimated to be around 1,000, they said.

"We have calculated the amount of stolen data stored on C&C servers to be 22+ gigabytes," the researchers said. "However this data represents only a small fraction which we managed to see -- the rest of it had been previously downloaded and deleted from the C&C servers by the attackers."

Detection statistics for NetTraveler samples collected from Kaspersky's network showed that the country with the highest number of infections is Mongolia, followed by Russia, India and Kazakhstan. The U.S. is not in the top 10.

The Kaspersky researchers estimate that the NetTraveler cyberespionage group has around 50 members, most of whom are native speakers of Chinese and have some knowledge of English. The group's most recent domains of interest include space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications, the researchers said.

A small number of victims infected with the NetTraveler malware were also infected with the malware used in the Red October cyberespionage campaign that was reported by Kaspersky in January. These include a military contractor in Russia, an embassy in Iran, an embassy in Belgium, an embassy in Kazakhstan, an embassy in Belarus and a government entity from Tajikistan.

There were no direct links found between the NetTraveler and the Red October attackers, but the small overlap of victims is nonetheless interesting, the Kasperky researchers said. "These infections indicate that certain high profile victims are targeted by multiple threat actors; the target information is a valuable commodity."

More details about attribution, victim identities and links with other attack campaigns are included in a private report that will be shared with selected parties, including local authorities from countries where victims were identified, Kaspersky Lab said.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachExploits / vulnerabilitiesspywaremalwarekaspersky lab

More about APTCDWCorelKasperskyKasperskyMicrosoftXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place