« NISTIR 8196 Security Analysis of First Responder Mobile and Wearable Devices | Main | GAO 重要インフラ保護:国土安全保障省はリスクが高い化学施設のサイバーセキュリティにもっと注意を払え »

2020.05.16

Tropic Trooperが台湾、フィリピンの政府、軍、医療機関等の物理的に分離されたネットワークをターゲットにUSBフェリー攻撃 by Trendmicro

こんにちは、丸山満彦です。

Trend Microのインテリジェンスチームが、Tropic Trooperが台湾、フィリピンの政府、軍、医療機関等の物理的に分離されたネットワークをターゲットにUSBフェリー攻撃を仕掛けていると言う報告書を出していますね。。。

Trend Micro Security Intelligence blog

・2020.05.12 Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments by Joey Chen

・[PDF] Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments - Technical Brief by Joey Chen (Threats Analyst)

-----

Tropic Trooper, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities. Primarily motivated by information theft and espionage, the group has also been seen adopting different strategies such as fine-tuning tools with new behaviors and going mobile with surveillanceware.

We found that Tropic Trooper’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information.

Based on data from the Trend Micro™ Smart Protection Network™ security infrastructure, USBferry attacks have been active since 2014. We found the group was focused on stealing defense-, ocean-, and ship-related documents from target networks, which led us to believe that Tropic Trooper’s main purpose is to exfiltrate confidential information or intelligence.

Tropic Trooper, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities. Primarily motivated by information theft and espionage, the group has also been seen adopting different strategies such as fine-tuning tools with new behaviors and going mobile with surveillanceware.

We found that Tropic Trooper’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information.

Based on data from the Trend Micro™ Smart Protection Network™ security infrastructure, USBferry attacks have been active since 2014. We found the group was focused on stealing defense-, ocean-, and ship-related documents from target networks, which led us to believe that Tropic Trooper’s main purpose is to exfiltrate confidential information or intelligence.

-----

■ 報道等

Security Affairs

・2020.05.15 Chinese APT Tropic Trooper target air-gapped military Networks in Asia by Pierluigi Paganini

|

« NISTIR 8196 Security Analysis of First Responder Mobile and Wearable Devices | Main | GAO 重要インフラ保護:国土安全保障省はリスクが高い化学施設のサイバーセキュリティにもっと注意を払え »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« NISTIR 8196 Security Analysis of First Responder Mobile and Wearable Devices | Main | GAO 重要インフラ保護:国土安全保障省はリスクが高い化学施設のサイバーセキュリティにもっと注意を払え »