SECURITY SPOTLIGHT
////////////////////////////////////////////////////////////////////
CYBERCRIMINALS ATTACK
KUWAIT SHIPPING AND
TRANSPORT ORGANISATIONS
Palo Alto Networks has revealed how cybercriminals attacked
shipping and transportation organisations in Kuwait.
P
alo Alto Networks has revealed how
cybercriminals attacked organisations
in Kuwait. Unit 42, the global threat
intelligence team at Palo Alto Networks,
observed previously unknown tools used in
the targeting of transportation and shipping
organisations based in the country.
The first known attack in this campaign
targeted a Kuwait transportation and
shipping company in which the actors
installed a backdoor tool named Hisoka.
Several custom tools were later downloaded
to the system in order to carry out post-
exploitation activities.
All of these tools appear to have been
created by the same developer. The team
were able to collect several variations of
these tools, including one dating back to
July 2018.
The developer of the collected tools used
character names from the anime series
Hunter x Hunter, which is the basis for the
campaign name ‘xHunt’.
The names of the tools collected include
backdoor tools Sakabota, Hisoka, Netero
and Killua. These tools not only use HTTP for
their command and control (C2) channels,
42
INTELLIGENTCIO
but certain variants of these tools use DNS
tunnelling or emails to communicate with
their C2 as well.
While DNS tunnelling as a C2 channel
is fairly common, the specific method in
which this group used email to facilitate C2
communications has not been observed by
Unit 42 in quite some time.
This method uses Exchange Web Services
(EWS) and stolen credentials to create
email ‘drafts’ to communicate between
the actor and the tool. In addition to
the aforementioned backdoor tools, the
team also observed tools referred to as
Gon and EYE, which provide the backdoor
access and the ability to carry out post-
exploitation activities.
Through comparative analysis, the team
identified related activity also targeting
Kuwait between July and December 2018,
which was recently reported by IBM X-Force
IRIS. While there are no direct infrastructure
overlaps between the two campaigns,
historical analysis shows that the 2018 and
2019 activities are likely to be related.
In conclusion, the company found that
while there are similarities in the targeting
of Kuwait organisations, domain naming
structure and the underlying toolset used,
it remains unclear if two campaigns (July
to December 2018 and May to June
2019) were conducted by the same set
of operators.
Historical infrastructure analysis shows
a close relationship between Hisoka and
Sakabota infrastructure, as well as with
known oil rig infrastructure.
Due to these overlaps and the focused
targeting of organisations within the
transportation and shipping industry in the
Middle East, Palo Alto is tracking this activity
very closely and will continue analysis in
order to determine a more solid connection
to known threat groups.
Palo Alto Networks’ customers are protected
by these threats through the following:
• Customers using AutoFocus can view
this activity by using the following tags:
xHunt, Sakabota, Hisoka, Killua, Gon, EYE
• DNS Tunnelling activity is detected
through DNS Security automated
detection
• All tools identified are detected as
malicious by WildFire and Traps n
www.intelligentcio.com