KASPERSKY Lab chooses Singapore for new central Asia Pacific office: Releases Spring Dragon research – China & North Korea seen as initiating active APTs

WebKaspersky Lab aligned alongside the INTERPOL World Congress and Exhibition to formally open their new office in Singapore, now with 35 staff and as the central management office for the Asia Pacific, where they have 200 personnel operating across the region.

Kaspersky Lab Office Opening CeremonyCEO and Chairman, Eugene Kaspersky proudly declared Singapore as one of his favourite world cities and was also strongly encouraged and assisted by the Singaporean Economic Development Board (SEDB). “Singapore is a key regional city and one of the most developed cities in the world. The cybersecurity start-up sector is being assisted and we feel this will facilitate new vectors for industrial security, smart cities and the ‘cyberised’ Internet of Things.” Mr. Kaspersky said.

Mr. Teo Chin Hock, Deputy Chief Executive of the Cyber Security Agency of Singapore (CSA) also presented on the need for a resilient and trusted cybersecurity environment. Singapore has four pillars to their cyber security strategy, Mr.Hock said, “First is on strengthening critical infrastructure, the second is on mobilising business, third is to create a cyber security industry and fourth is to develop strong international partners, in an effort to make Singapore a smart and safe nation.”

As part of the efforts between the SEDB and Kaspersky Lab, a talent pipeline of skills development is being established with five Singaporeans sent to Kaspersky Lab’s head-office in Moscow for cybersecurity training and now two of these are working with the Singapore Cybersecurity Agency. Further collaboration is occurring between Singapore’s leading universities, including collaborating with National University of Singapore and Nanyang Technological University in the research areas of critical infrastructure protection.

Palaeontology of Cyberattacks

Alongside INTERPOL World, Kaspersky Lab held a half day seminar series on the ‘Palaeontology of Cyber Attacks’, with some of the company’s leading researchers in the Asia Pacific region, presenting on cyber-attack methodology and attributions.

Vitaly Kamluk, Director, Global Research & Analysis Team APAC, Kaspersky LabVitaly Kamluk, APAC Director of the Global Research & Analysis Team (GReAT) presented on how the Democratic People’s Republic of Korea (North Korea) is linked to major cyber-attacks through attribution of source IP addresses. Kaspersky Lab’s research has linked North Korea to Lazarus, the group linked to the $81 million bank heist in Bangladesh and the 2014 attack on Sony’s Hollywood studio, which the U.S. government also blamed on North Korea. As Vitaly explained, there were three conclusions drawn from the research; someone has invested a huge amount of money to frame North Korea in these attacks, a third force outside North Korea could be assisting them or third, if the attacks are indeed from North Korea, it means we know very little about their current motivations and use of cyber offense.

Another key area of research from Kaspersky Lab is the APT (Advanced Persistent Threat) actor operating since 2012, which has been targeting South China Sea countries, starting with a focus against Taiwan. The Spring Dragon or Lotus Blossom has been researched by Melbourne based Noushin Shahab, on behalf of Kaspersky Lab. These highly specialised attacks target Government organisations, political parties, education instructions, universities and the telecommunications industry.

Using customised C2 servers with over 200 unique IP addresses, the Spring Dragon is attempting to actively hide its real location. Despite these efforts, 40 percent of IP addresses are registered in Hong Kong, followed by mainland China and Japan. For attribution, analysis is based on the victims, political tensions, file compilation timestamps, which are predominantly in GMT+8 and the two prominent time activities indicates the group is either working in shifts in the same time zone or involve two groups in two different time zones.

For analysis of the malware developers, there have been 600 malware samples obtained. The attacker’s toolset includes various backdoors and backdoor injectors. These include Elise, first identified by Palo Alto Networks’ Unit42, yet once identified, these variants stopped being used. The backdoors provide a wide range of capabilities, including transferring files and system administration. The code evolution goes back to 2004 and the Backdoor injector injects an encrypted file and predominantly enters via a web browser. According to Noushin, the long running APT campaign is clearly part of a massive scale operation and therefore likely to continue to resurface regularly in the Asia Pacific, with social engineering techniques a particular element in having the victims click a link or download a file. The source code is unique and private, therefore unlikely to be picked up by other researchers and should it be released into the wild, the attribution would become difficult.