ATK33

ATK33 (aka: PLATINUM by Microsoft) is a cyber espionage group active since at least 2009.

 

The attacks of this adversary are different from those seen in untargeted or targeted attacks, which makes it peculiar in many ways. When part of the targeted attacks can be qualified as opportunistic: This group will prefer to modify their target profiles and geographic attack zones based on geopolitical events.

 

Thus, no target is immune in the world. ATK33's objective will be to steal sensitive intellectual property related to government interests, The group has systematically targeted specific government organizations, defense institutes, intelligence agencies, diplomatic institutions and telecommunications providers in South and Southeast Asia. The recurrent use of spear phishing tactics (phishing attempts targeting specific individuals) and access to previously unknown zero-day exploits have made it a very resilient threat.

 

For initial access it uses mainly spear-phishing, we have also seen the use of nuisance attacks against vulnerable browser plugins. It uses several zero-day exploits suggesting that this is a well-resourced group. ATK33 is less prolific in the field than ATK9 for example, but focuses on a small number per year trying to hide its infections with self-removing malware and using one-shot delivery servers. It often targets the private email accounts of its victims and uses them to access the organization's networks. It uses custom developed tools which are often updated to avoid detection. Its backdoors are configured to operate during the victim's working hours to hide network traffic from legitimate traffic. Interestingly, there is no code shared between their different backdoors.

 

The CnC infrastructure is a mixture of registered domains and free subdomains obtained through dynamic DNS providers. The group uses compromised infrastructure based in multiple countries.

 

Used lure documents often address controversial subjects to incite the reader to open them.

 

Based on Microsoft's investigations, here is a non-exhaustive list of ATK33 characteristics :

 

• Implementation of several cyber espionage campaigns since at least 2009.

• Concentration on a small number of campaigns per year, which reduces the risk of detection and helps the group to remain unnoticed and focused longer.

• Targeting of governments and related organizations in South and South East Asia. Using multiple unpatched vulnerabilities in zero-day exploits against its victims.

• Main method: Spear phishing Hiding its traces by automatic removal of malicious components or by using "single mode" server-side logic where remotely hosted malicious components are only allowed to load once

• Harassment of its targets via their unofficial or private email accounts, to use them as a springboard to the planned organization's network.

• Use of malicious tools that are tailor-made and have the resources to update these applications often in order to avoid being detected.

• Configuring its backdoor malware to restrict its activities to victims' working hours, in an effort to disguise post-infection network activity from normal user traffic.

• Its espionage activity is not intended to achieve direct financial gain, but rather uses stolen information for indirect economic benefits.

 

Références :

• http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

• https://attack.mitre.org/groups/G0068/

• https://securelist.com/cve-2015-2545-overview-of-current-threats/74828/

• https://securelist.com/platinum-is-back/91135/

• https://securelist.com/titanium-the-platinum-group-strikes-again/94961/