In the second quarter of 2017, we saw the most sophisticated threatening agencies launch a variety of new and improved malicious tools, including three zero exploits and two unprecedented attacks: WannaCry and ExPetr. The analysis of the last two attacks by experts suggests that the code may have escaped and released freely before it is completely ready, an undefeated situation for inspectors who have sufficient resources. These and other trends are covered by the latest quarterly report by Kaspersky Lab specialists.
From April up to the end of June, significant developments in targeted attacks in Russia, England, Korea and China, among others, have been observed. These developments have a major impact on the security of enterprise information systems: developed malicious activity is constantly occurring at almost all lengths and widths of the world, increasing the risk of businesses and non-profit organizations, making them parallel losses in the digital war. WannaCry and ExPetr – allegedly caused by state-owned organizations – whose victims include several businesses and organizations around the world, were the first but probably not the last examples of the new dangerous trend.
The highlights of the second quarter of 2017 include:
• Three zero-day exploits for Windows were freely used on the Internet by Sofacy and Turla, the Russian-speaking threatening players. Sofacy, also known as APT28 or FancyBear, has developed the exploits used against a wide range of European targets, including state and political organizations. The threatening factor was also observed by testing some experimental tools, especially gainst a member of a French political party before the French national elections.
• Gray Lambert – Kaspersky Lab has analyzed the most developed tool to date for Lamberts, a highly sophisticated and complicated English speaking family of digital espionage programs. Two new “family” malware families were identified.
• The WannaCry attack on May 12 and the ExPetr attack on June 27. While they are very different in nature and their goals, both were surprisingly ineffective as “ransomware”. For example, in the case of WannaCry, rapid global expansion and high profile have brought the Bitcoin collection to the attention of attackers, making the process extremely difficult. This suggests that the real purpose of the WannaCry attack was data destruction. Kaspersky Lab specialists discovered further links between Lazarus Group and WannaCry. The disruptive malicious software pattern disguised as ransomware once again appeared in the ExPetr attack.
• ExPetr, targeting organizations in Ukraine, Russia and elsewhere in Europe, emerged as ransomware, but proved to be clearly devastating. The motive behind ExPetr’s attacks remains a mystery. Kaspersky Lab specialists have created a low-reliability connection with the threatening carrier known as Black Energy.