Japan Critical Infrastructure Hack – Operation Dust Storm

By John Atienza on March 1, 2016

Source: https://threatpost.com/five-year-dust-storm-apt-campaign-targets-japanese-critical-infrastructure/116436/

Cylance’s research team SPEAR released reports about a 5 year campaign that targeted Japanese oil, gas, and electric utilities. The campaign is referred to as Operation Dust Storm. Evidence of Dust Storm’s activities have been found in Japan, South Korea, United States, Europe, and several other Southeast Asian countries. The main tools of their trade are phishing emails containing Flash exploits and zero-days implanted into Microsoft Office documents. Specific vulnerabilities used are CVE-2011-0611 and CVE-2012-1889. Attack domains were used to serve as C&C servers bother for command and control as well as data exfiltration. Another  interesting aspect of this campaign is that Android trojans were also used to do recon on their victims and later to retrieve specific data on those mobile devices. Persistence was achieved through custom made backdoors created on Japan’s systems. They haven’t attributed the attacks to any specific groups, but the attack methods and behaviors are similar to APT1.

Flash exploits are still a big problem today especially after the Hacking Team data breach. The more interesting thing is that malicious cyber threats are now interested in hacking our mobile devices. The development of mobile security as a field along with safe mobile phone habits will be something to keep an eye on and an ear out for. This is specially true considering the question of mobile security in the Apple vs FBI events.

For more technical details please review the Cylance’s Operation Dust Storm Report
PDF – https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456276906648
SHA1 signature- 606F656561781DBA6FDEF666ECE6A0CC24709F01