It has been a few days since the Japan Pension System data leak of 1.2 million cases of PII came to light and enough time for forensics to, at least, produce some theories about the attack source and vector. According to Kaspersky in Japan – and this is news I have yet to see on any English language web site – “Blue Termite” APT used to penetrate Japan Pension System was 100% targeted only at Japan:

Blue Termiteは100%日本を標的としたAPT攻撃であり、日本年金機構へのサイバー攻撃もその一環だとする一方で、標的は同機構だけではなく“日本全体”だと強調。たまたま情報が漏えいしたおかげで同機構では攻撃が発覚したに過ぎないとし、政府機関や報道機関をはじめ、防衛関連、エネルギー関連、航空宇宙産業、金融、化学、製造業、研究・学術機関、さらには情報通信事業者のクラウドサーバーまで、少なくとも300カ所がBlue Termiteのマルウェアに侵入されていることを明らかにした。

Blue Termiteは、「CloudyOmega(クラウディオメガ)」と呼ばれる攻撃者グループが展開している攻撃の1つ。その標的型攻撃メールとマルウェアが昨年秋、シマンテックやトレンドマイクロによって報告されていた。

 例えば、送信元が「健康保険組合運営事務局」というメールでは、Wordの文書ファイルを装った「健康保険のお知らせ」というファイルが添付されているが、実際は自己解凍型の実行ファイル(.exe)であり、これを開いてしまうと、ダミーのWord文書が表示される裏でマルウェアの本体が実行されて感染。攻撃者の指令サーバー(C&Cサーバー)との通信を開始し、情報窃取などの活動を行う。

Kaspersky Labs reports the malicious actors are targeting a variety of Japanese sectors, including government, defense industry, critical infrastructure, aerospace, financial, manufacturing, and academia. Analysis of cloud service providers reveals there may be over 300 web sites infected and distributing the malware. Additionally, according to reports by Symantec and Trend Micro, the activity has been traced to a group known as CloudyOmega and their “blue termite” attack leverages phishing, the most common and successful vector today.

As with most campaigns of this type, the emails carry a malicious payload and are written in such a convincing manner that it is very difficult for the average recipient to distinguish the authenticity. Most of the phishing emails contain a disguised Word attachment called “Notice of health insurance” that is actually a self-extracting executable (.exe), and when open will launch a window appearing to be Microsoft Word and displaying the ostensible notice. The malware then initiates a command-and-control connection in the background without the users knowledge. This is when the so-called magic happens allowing the malicious actors to siphon information out of the computer and any network connections it has established.

Kaspersky Labs states the C&C activity began around September 18, 2014. In the timeframe of October through December, there were upwards of 100 C&C connections each day until the activity subsided. Then suddenly in April 2015, a mere two months ago, C&C communication activity was resurrected, with approximately 140 cases seen per day.

Once the C&C channel is established with the victim, the actors analyze the directories and files to determine whether or not the machine has valuable data worth extracting. If not, the activity ceases. Otherwise, additional hacking tools are dropped onto the machine to aid the actors in obtaining the data. These tools assist the actors in lateral movement across the network, as well as hijacking mail account and web browser information.

It is likely this will not be the last time we hear about Blue Termite and CloudyOmega being responsible for data compromises in Japan. What I find the most interesting is how Blue Termite appears to be solely targeted at Japan, with no trace of this malware having been used in any other country. More to the point, there is not a single English language web site discussing Blue Termite, strengthening the theory this attack was aimed solely at Japan.

There are three outstanding questions at this point:

  1. Is CloudyOmega a nation state attacker, hacktivist, or group of script kiddies sitting in a basement? The sophistication of the attack points more towards nation state or, at least, a tightly-knit group of very capable actors. From the motive perspective, nation state is the most plausible.
  2. If CloudyOmega is nation state, which nation – China, North Korea, Russia, or someone else? The type of data stolen is seemingly only beneficial to a nation state attacker because there is no obvious valuable way to monetize the compromised Japan Pension System PII.
  3. Lastly, the timing of the JPS and OPM attacks are highly curious. Is there any relationship between the two?

There will likely be a lot more questions arising in the coming days than answers. I will add additional reporting as more information becomes available.

Disclosure: I work for Intel Security, a Kaspersky, Trend Micro, and Symantec competitor.