Determining who is ultimately behind targeted attacks is difficult as it requires a combination of technical and contextual analysis and the ability to connect disparate pieces of information together over a period of time. Moreover, any one researcher typically does not necessarily have all these pieces of information and must interpret the available evidence. Too often, the determination of attribution is based solely on easily spoofed evidence such as IP addresses and domain name registrations. This post provides a follow up to the post we published yesterday. It presents some background information on the LURID attacks and the relationship with previous Enfal attacks in order to provide some context to this case.
Interestingly, while previous Enfal attacks have been attributed to China, in this case, the IP addresses of the command-and-control (C&C) servers were located in the United States and the United Kingdom. However, the registration information of the domain names used indicates that the owners are in China. In either case, this information is not difficult to manipulate. Neither of these two artifacts taken on their own is sufficient to determine attribution.
The History of Enfal
The history of this malware combined with the nature of some of the targeted victims do provide some clues. The malware used in the “Lurid Downloader” attacks is commonly known as “Enfal” and it has been used in targeted attacks as far back as 2006. In 2008, Maarten Van Horenbeeck documented a series of targeted malware attacks that made use the Enfal Trojan to target governmental organizations, nongovernmental organizations (NGOs), as well as defense contractors and U.S. government employees.
In 2009 and 2010, researchers from the University of Toronto published reports on two cyber espionage networks known as “GhostNet” and “ShadowNet” that included malware and command and control infrastructure connected with the Enfal Trojan. Additionally, the domain names used by Enfal as C&C servers are, according to U.S. diplomatic cables, leaked to WikiLeaks, linked to a series of attacks known as “Byzantine Hades.” According to these leaked cables, the activity of this set of threat actors has been ongoing since 2002 and there are subsets of this activity known as “Byzantine Anchor,” “Byzantine Candor,” and “Byzantine Foothold.”
Notably, other than the use of Enfal itself, there appears to be several distinct sets of C&C infrastructure in use and the relationship among those operating these separate infrastructure remains unclear.
LURID and Enfal – Related or Not?
The Lurid Downloader attacks appear to be another separate but related Enfal network with a geographic focus. Although there is clear evidence that the Tibetan community is also a target, interestingly the majority of victims of this attack are concentrated in Russia and other CIS countries. From our analysis, we ascertained that numerous embassies and government ministries, including some in Western Europe, have been compromised as well as research institutions and agencies related to the space industry.
The use of Enfal, the malware family to which Lurid Downloader belongs, has been historically linked with threat actors in China. In this case, the attack vector (a malicious email and attached malicious file) that we were able to analyze was related to the Tibetan community, which many believe indicates an association with China. However, Chinese entities were also victims of Lurid Downloader.
We have a forthcoming report which will outline the background and context of the attacks alongside a thorough technical analysis but will not attribute these attacks to any particular entity. We cannot emphasize enough that it remains unclear who exactly is behind the Lurid Downloader attacks.
Attribution isn’t easy.
Leave a reply