Dropping Elephant: Inelegant Espionage

An Indian-speaking threat actor, Dropping Elephant chooses targets mainly in the Asian region, paying particular attention to Chinese government/diplomatic organizations – and also to foreign embassies and diplomatic offices in China.

A Disappointment for Spy Genre Fans, or…

For most of us, the word ‘espionage’ conjures up visions of immaculately dressed men and women armed, not just with the traditional pistol and silencer, but with lots of highly sophisticated gadgetry. Add the word ‘cyber’, and the aura of sophistication increases, as we envisage the levels of technological finesse required to discreetly intercept and steal delicate political secrets.

On this basis, the cyberespionage group ‘Dropping Elephant’ (aka Chinastrats) is a bit of a disappointment, both in terms of its name and of its approach.  Until, that is, you look at just how successful their operations, despite using relatively simple techniques, have been.

An Indian-speaking threat actor, Dropping Elephant chooses targets mainly in the Asian region, paying particular attention to Chinese government/diplomatic organizations – and also to foreign embassies and diplomatic offices in China, including those of Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia and USA. It employs a toolset and techniques mainly based around well-executed social engineering, the exploitation of long-closed vulnerabilities and the adoption of legitimate software.

Hand me that axe, please, then put your neck on this block…

Dropping Elephant’s standard attack scheme starts with two-stage phishing. The first stage is usually a mass email containing only a relatively harmless document, which nevertheless has an important role to play in the attack. When opened, the document sends a confirmatory ‘ping’ to the attackers’ command & control servers, together with  basic information about the attacked system that helps further identify the target. The second stage is usually an email carrying either an exploit-containing document (.docx or .pps) leveraging older vulnerabilities in Microsoft Office, or a link to a legitimate-looking ‘watering hole’ website dedicated to politics and offering a well-crafted political news digest in the form of a .pps (Powerpoint Slideshow) file, also exploit-fitted and containing a malicious payload.

When the user, lured by the email’s or website’s apparent credibility, puts his or her neck on the block by opening the file, the embedded payload is triggered. It downloads and executes a number of additional tools that start searching for any important-looking documents they find on the victim’s hard drive, including Word files, Excel tables, Powerpoint presentations and PDFs, complementing these with saved credentials they can extract from the browser. This information is then syphoned away to the attackers’ servers.

These attacks, and others like them, rely on a set of vulnerabilities which are generally assumed to be closed.  But it was never possible for Microsoft to completely disable every piece of potentially dangerous functionality in MS Office. Given enough persuasiveness and the victim’s genuine interest in the well-crafted bait, users still can and do click absently through multiple warnings and confirmations – straight to their own – and the whole organization’s – doom.

The consequences of a data breach in a sensitive area like government/politics are hard to underestimate. But it’s also important to understand that it’s not just organizations directly related to politics or government that can become targets.  To reach their supposed victims, the Elephant’s operators may choose the long way round, starting by compromising their victim’s trusted contacts and business connections. So if your company has any ties with government institutions – best keep your corporate security well prepared for any unexpected elephantine visit.


To Defend, You Must Arm Yourself

Dropping Elephant’s operators may not be very inventive in their choice of techniques, but they’re well versed in the uses of social engineering, and do their homework thoroughly before setting out to attack a particular target. To reduce their chances for success to a minimum, bearing in mind that their most important ally is probably going to be your own hapless employee, a multilayered approach to security is necessary. Chinastrats operators dangle highly convincing and carefully tailored informational baits, so close attention should be paid to the sources of any email that doesn’t fit the everyday working pattern. Security awareness training, such as offered by Kaspersky Lab,  can develop the necessary defensive reflexes in your employees – invaluable in spotting and repelling the forms of attack that Dropping Elephant prefers.

It’s worth mentioning that Kaspersky Lab’s experts have long-standing relationships with government and law enforcement organizations worldwide. They not only help investigate cyber-attacks, but also conduct professional training, teaching employees the ways of cybersecurity, from the very basics to the high zen of malware analysis and digital forensics. This training is available not just to government institutions, but is to any company working in the field of cybersecurity or looking to create its own Security Operations Center.

In the meantime, as we can see, even already patched vulnerabilities can pose a considerable danger – so human-agnostic exploit mitigation technologies are a must. The Automatic Exploit Prevention technology, available in all tiers of Kaspersky Endpoint Security for Business is up to the task, preventing even the 0-day exploits from completing their dirty work.

But the timely patching of vulnerabilities remains critical. One of the most complex IT tasks, vulnerability management requires enhanced awareness and automation – both of which are offered by Kaspersky Lab’s Systems Management (Available both as part of Kaspersky Endpoint Security for Business Advanced and as a standalone solution ). This technology considerably simplifies the process for IT specialists, reducing the pressure of work and freeing up time to think and plan more strategically during their everyday duties.

When you’re the custodian of some really important secrets, being strategic in planning your defenses is not a luxury but an absolute necessity. Keeping track of shifts in the threat landscape using Kaspersky Lab’s Intelligence Reports and Datafeeds allows you to be better prepared for what’s to come. And running the ever-alert Kaspersky Anti Targeted Attack Platform – constantly watching over different levels of your IT infrastructure including network, endpoints and mailing system – helps provide early warnings when the enemy is at the gate.

Kaspersky Lab’s products detect components of Dropping Elephant’s toolset under the following verdicts:

  • Exploit.Win32.CVE-2012-0158
  • Exploit.MSWord.CVE-2014-1761
  • Trojan-Downloader.Win32.Genome
  • HEUR:Trojan.Win32.Generic

To know more about Dropping Elephant attack group, read the following blog post at Securelist.