FireEye researchers have been tracking so-called “Operation Beebus” for months, but only last week reported the connection to unmanned aircraft often used in spying. Drones have also been used by the Obama administration to assassinate leaders of the Al-Qaeda terrorist group.
FireEye researcher James Bennett, who was the first to make the drone connection, said on Tuesday that he has found two new malware associated with the attack, bringing the total to four.
The first two were versions of the same malware called Mutter. The new malware includes one that uses the same custom encryption scheme, but a different command-and-control protocol. The fourth malware is completely different from Mutter, but uses the same C&C infrastructure.
Bennett has yet to fully analyse the new malware, which he hopes will provide “more threads to follow.”
Operation Beebus is a cyber espionage campaign that FireEye has linked to the infamous Comment Crew, which security firm Mandiant has identified as a secret unit of China’s People Liberation Army.
The hacker group attempts to steal information from international companies and foreign governments.
Bennett reported in a blog last week that he had uncovered evidence of cyber attacks against a dozen organisations in the U.S. and India. The attacks against academia, government agencies and the aerospace, defence and telecommunication industries targeted individuals knowledgeable in drone technology.
The spear-phishing campaign included sending email that contained decoy documents meant to trick recipients into clicking on the file, which would download the malware. One such document was an article about Pakistan’s unmanned aerial vehicle industry written by Aditi Malhotra, an Indian writer and associate fellow at the Centre for Land Warfare Studies in New Delhi.
Once downloaded, the Mutter malware opened a backdoor to the infected systems in order to receive instructions from C&C servers and to send stolen information. To avoid detection, Mutter is capable of remaining dormant for long periods of time, so that it will eventually be categorised as benign by malware analysis systems.
Despite the exposure, Operation Beebus is still active, although its infrastructure has changed. All but one of the domain names studied by Bennett is no longer in use, but several IP addresses are still active, probably being used with other domains.
“We are still seeing active communications going out with this Mutter malware, so we do know that it’s still going,” Bennett said.
One in five data breaches are the result of cyber espionage campaigns, according to the latest study by Verizon. More than 95 percent of cases originated from China, with targets showing an almost fifty-fifty split between large and small organisations.