Determining who is ultimately behind targeted attacks is difficult. It requires a combination of technical and contextual analysis as well as the ability to connect disparate pieces of information together over a period of time. Moreover, any one researcher typically does not necessarily have all of these pieces of information and must interpret the available evidence. Too often, attribution is solely based on easily spoofed evidence such as IP addresses and domain name registrations.
This post is a follow-up to the post we published yesterday. It presents some background information on the LURID attacks and on their relationship with previous Enfal attacks in order to provide some context to this case.
Interestingly, while previous Enfal attacks have been attributed to China, in this case, the IP addresses of the command-and-control (C&C) servers were located in the United States and in the United Kingdom. However, the registration information of the domain names used indicates that their owners are from China. In either case, this information is not difficult to manipulate. Neither of these two artifacts taken on their own is sufficient to determine attribution.
The History of Enfal
The history of this malware combined with the nature of some of its target victims do provide some clues. The malware used in the “Lurid Downloader” attacks is commonly known as Enfal and has been used in targeted attacks as far back as 2006. In 2008, Maarten Van Horenbeeck documented a series of targeted malware attacks that made use the Enfal Trojan to target government organizations, nongovernmental organizations (NGOs), as well as defense contractors and U.S. government employees.
In 2009 and 2010, researchers from the University of Toronto published reports on two cyber espionage networks known as GhostNet and ShadowNet, which included malware and C&C infrastructure connected to the Enfal Trojan. In addition, the domain names Enfal used as C&C servers are, according to U.S. diplomatic cables and leaked to WikiLeaks, linked to a series of attacks known as “Byzantine Hades.” According to these leaked cables, this set of threat actors has been active since 2002 and has activity subsets known as Byzantine Anchor, Byzantine Candor, and Byzantine Foothold.
Notably, other than the use of Enfal itself, there appears to be several distinct sets of C&C infrastructure in use and the relationship among those operating these separate infrastructure remains unclear.
LURID and Enfal: Related or Not?
The Lurid Downloader attacks appear to be another separate but related Enfal network with a geographic focus. Although there is clear evidence that the Tibetan community is also a target, interestingly, the majority of victims are concentrated in Russia and in other CISs. From our analysis, we ascertained that numerous embassies and government ministries, including some in Western Europe, have been compromised as well as research institutions and agencies related to the space industry.
The use of Enfal, the malware family to which Lurid Downloader belongs, has been historically linked with threat actors in China. In this case, the attack vector (a malicious email and an attachment) that we were able to analyze was related to the Tibetan community, which many believe indicates an association with China. However, Chinese entities were also victims of Lurid Downloader.
We have a forthcoming report, which will outline the background and context of the attacks alongside a thorough technical analysis but will not attribute these attacks to any particular entity. We cannot emphasize enough that it remains unclear who exactly is behind the Lurid Downloader attacks.
Attribution isn’t easy.
For more information on this attack, you can check out our research paper, “The ‘LURID’ Downloader.”