[HN Gopher] Botnet that hid for 18 months
___________________________________________________________________
Botnet that hid for 18 months
Author : takiwatanga
Score : 55 points
Date : 2022-05-03 12:42 UTC (10 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| mikeyouse wrote:
| Interesting -- not targeting defense contractors or governments..
|
| > _In this blog post, we introduce UNC3524, a newly discovered
| suspected espionage threat actor that, to date, heavily targets
| the emails of employees that focus on corporate development,
| mergers and acquisitions, and large corporate transactions. On
| the surface, their targeting of individuals involved in corporate
| transactions suggests a financial motivation; however, their
| ability to remain undetected for an order of magnitude longer
| than the average dwell time of 21 days in 2021, as reported in
| M-Trends 2022, suggests an espionage mandate._
|
| Is there enough money in high finance to support the development
| of sophisticated tools to rig trading markets?
| nyokodo wrote:
| > Is there enough money in high finance to support the
| development of sophisticated tools to rig trading markets?
|
| Yes, but a well timed economic WMD on countries heavily reliant
| on efficient capital markets would greatly distract them from
| interfering in international events.
| nyokodo wrote:
| This doesn't sound like a botnet so much as a (possibly Russian)
| child of Stuxnet.
| kramerger wrote:
| Isnt this significantly better than current botnets?
|
| Is there any information about their targets?
| solarmist wrote:
| It certainly seems like it to me.
| PenguinCoder wrote:
| This activity is steps above a normal botnet or threat actor
| such as standard ransomware operators. Not only living off the
| land, but taking care to blend in to the device/environment,
| not just dropping a randomly named blob. They show a narrow
| focus of targeting, awareness for evasion, and skill at
| maintaining persistence. This level of sophistication is not
| normal, for normal incidents.
| daniel-cussen wrote:
| I bet sometimes they kick out bots that are competing for
| resources. Or at least scan for the other bots and carve it
| out, otherwise when there's two that's when they both start
| mining full blast, they each try to cash in the crypto keys
| on the computer before the other one does, and the user gets
| around to reinstalling the OS because his computer is
| unusable.
| xemdetia wrote:
| Based on the places where they were putting their threats I
| doubt mining was their goal. It sounds more that they were
| spelunking in case they wanted to ransomware and/or just
| wanting the information in a straightforward way. I wonder
| if also they were just using these servers as a foothold to
| attack something else. If you are mixing your traffic among
| an org's business presence it would be difficult to chase
| as a hop.
| ghostbrainalpha wrote:
| Ya, this definitely wasn't about mining.
|
| There isn't much info to go on, but it almost sounds like
| they were after the type of financial data that would be
| useful for insider trading.
___________________________________________________________________
(page generated 2022-05-03 23:01 UTC)