Determining who is ultimately behind targeted attacks is difficult. It requires a combination of technical and contextual analysis as well as the ability to connect disparate pieces of information together over a period of time. Moreover, any one researcher typically does not necessarily have all of these pieces of information and must interpret the available evidence. Too often, attribution is solely based on easily spoofed evidence such as IP addresses and domain name registrations.
This post is a follow-up to the post we published yesterday. It presents some background information on the LURID attacks and on their relationship with previous Enfal attacks in order to provide some context to this case.
Interestingly, while previous Enfal attacks have been attributed to China, in this case, the IP addresses of the command-and-control (C&C) servers were located in the United States and in the United Kingdom. However, the registration information of the domain names used indicates that their owners are from China. In either case, this information is not difficult to manipulate. Neither of these two artifacts taken on their own is sufficient to determine attribution.
The History of Enfal
The history of this malware combined with the nature of some of its target victims do provide some clues. The malware used in the “Lurid Downloader” attacks is commonly known as Enfal and has been used in targeted attacks as far back as 2006. In 2008, Maarten Van Horenbeeck documented a series of targeted malware attacks that made use the Enfal Trojan to target government organizations, nongovernmental organizations (NGOs), as well as defense contractors and U.S. government employees.
In 2009 and 2010, researchers from the University of Toronto published reports on two cyber espionage networks known as GhostNet and ShadowNet, which included malware and C&C infrastructure connected to the Enfal Trojan. In addition, the domain names Enfal used as C&C servers are, according to U.S. diplomatic cables and leaked to WikiLeaks, linked to a series of attacks known as “Byzantine Hades.” According to these leaked cables, this set of threat actors has been active since 2002 and has activity subsets known as Byzantine Anchor, Byzantine Candor, and Byzantine Foothold.
Notably, other than the use of Enfal itself, there appears to be several distinct sets of C&C infrastructure in use and the relationship among those operating these separate infrastructure remains unclear.