Chinese 'NetTraveler' hackers stole data from 350 organisations, says Kaspersky Lab

At least 40 countries involved

An apparently innocuous piece of malware called NetTraveler has been identified as a key component of a Chinese APT campaign that has spent the last decade stealing data from 350 organisations in 40 countries, Kaspersky Lab has found.

NetTraveler (also called Travnet) is an intriguing 'exfiltration' data stealer and backdoor whose genesis Kaspersky said could go back as far as 2004, with a particular period of activity since 2010.

According to the Russian firm, NetTraveler has been busy, most recently targeting Tibetan, ethnic Uyghur activists as well as companies working in energy, scientific research, government institutions, universities, military contractors and embassies are far apart as Iran, Belgium and Belarus.

These are bread and butter targets for APT attackers, who would smuggl NetTraveler inside organisations using boobytraped emails and attachments (i.e. PDFs and Word files) hitting well-worn software vulnerabilities.

The company said it had found over 22GB of stolen data on command and control servers but believed this was only a small fraction of what had probably been taken over the years.

It was likely from the targeting, consistent design and single command and control infrastructure that the attacks were the work of a single Chinese organisation, the firm said.

The main countries affected were Mongolia (29 percent), Russia (19 percent), India (11 percent), Kazakhstan (11 percent), with smaller percentages in a host of countries in the same region. US and UK victims represented fractions of 1 percent of those targeted.

The most extraordinary thing about NetTraveler is probably not its sophistication because its design, operation and habit of trying its luck using older vulnerabilities mark it out as anything but. It's simply the length of time it's been stealing data without being identified, most of a decade and certainly since 2005.

"Based on collected intelligence, we estimate the group size to about 50 individuals, most of which speak Chinese natively and has knowledge of English language," said Kasperky Lab's researchers in their analysis.

"Although not very advanced, the NetTraveler attackers have successfully compromised hundreds of targets around the world, with the highest number in Mongolia, India and Russia."

Whatever its origins, NetTraveler sounds similar in ilk to another piece of APT-like malware discovered by Kaspersky Lab earlier this year, Red October. Although more recent, that too targeted a similar list of countries and organisations with an equally impressive success rate.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritykaspersky lab

More about APTKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place