Tropic Trooper exploits old vulnerabilities to unearth state and corporate secrets in Taiwan and Philippines
Wed 20 May 2015
Taiwan and the Philippines have been revealed as the latest targets in the ongoing campaign ‘Operation Tropic Trooper’ – a three year-old cyberattack employing old hacking tactics to target government bodies and leading businesses.
According to research by security experts Trend Micro, Tropic Trooper hackers had been exploiting Windows vulnerabilities, social engineering and standard steganography to infiltrate the IT systems of Taiwanese and Philippine government agencies, military institutions, as well as national companies involved in heavy industry.
“Throughout March to May 2015, our researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities,” wrote Trend Micro .
The research report also highlighted that the successful hacks using traditional techniques could have been easily prevented or at least better dealt with had the victims implemented proactive antimalware detection technologies and security training processes.
The actors behind Tropic Trooper are familiar with their target company’s IT networks and know where the vulnerabilities lie. Spear-phishing emails with malicious attachment files were created to bait the receiver. The documents contained feigned information regarding planned bombings, CVs, or governmental budgets.
The two common Windows vulnerabilities CVE-2010-3333 and CVE-2012-0158 were exploited in the attacks to usher the Trojan TROJ_YAHOYAH which downloaded and decrypted an apparently harmless decoy image or file.
The malicious images or files contained basic steganography BKDR_YAHAMAM , which Trend Micro describes as a malware which “steals data from the system, kills processes and services, deletes files and directories, puts systems to sleep, and performs other backdoor capabilities.”
The ease of accessing the IT systems suggests that the organisations were running on unpatched and vulnerable networks which would have made them more susceptible to threats, not just to Tropic Trooper.
It is thought that the main aim of the ongoing attacks is to draw critical and sensitive information from major industries and national agencies including intelligence, state secrets and data to gain competitive advantage.