Japanese energy, oil and gas, and transport industries have been among those targeted by a group of cyberattackers focusing its efforts on Japanese critical infrastructure.
According to research at Cylance SPEAR, the cyber threat group had previously been targeting U.S. defence agencies but has recently turned its attention to East Asia. While SPEAR does not believe the criminals have yet conducted “destructive or disruptive” attacks, it argues that they have been patiently and persistently spying on a range of Japanese organisations, such as construction companies and financial firms.
The researchers have dubbed the campaign Operation Dust Storm, and have identified phishing lures related to current affairs as the attackers’ tool of choice. Last year, the group infiltrated the investment branch of a Japanese automaker, implementing a second-stage backdoor. This attack was timed two weeks prior to nationwide auto union action, calling for a monthly raise of 6,000 yen.
“Our team believes that attacks of this nature on companies involved in Japanese critical infrastructure and resources are ongoing and are likely to continue to escalate in the future,” the report explained.
SPEAR noted that the cyberattack group has managed to stay under the radar by registering new domain names, relying heavily on Dynamic DNS, and using a range of customised backdoors – especially a number of second-stage backdoors with hardcoded proxy addresses and credentials.
The group also adopted several Android backdoors to support its mobile operations. Its custom mobile malware originally forwarded SMS and call data to command and control servers, then later variants were able to enumerate and exfiltrate specific files directly from infected devices. All of the identified victims of the Android Trojans were located in Japan and South Korea.
According to the SPEAR report, the group has quietly evolved in this manner to remain effective and evade detection by antivirus companies.