An apparently innocuous piece of malware called NetTraveler has been identified as a key component of a Chinese APT campaign that has spent the last decade stealing data from 350 organisations in 40 countries, Kaspersky Lab has found.
NetTraveler (also called Travnet) is an intriguing ‘exfiltration’ data stealer and backdoor whose genesis Kaspersky said could go back as far as 2004, with a particular period of activity since 2010.
According to the Russian firm, NetTraveler has been busy, most recently targeting Tibetan, ethnic Uyghur activists as well as companies working in energy, scientific research, government institutions, universities, military contractors and embassies are far apart as Iran, Belgium and Belarus.
These are bread and butter targets for APT attackers, who would smuggl NetTraveler inside organisations using boobytraped emails and attachments (i.e. PDFs and Word files) hitting well-worn software vulnerabilities.
The company said it had found over 22GB of stolen data on command and control servers but believed this was only a small fraction of what had probably been taken over the years.
It was likely from the targeting, consistent design and single command and control infrastructure that the attacks were the work of a single Chinese organisation, the firm said.
The main countries affected were Mongolia (29 percent), Russia (19 percent), India (11 percent), Kazakhstan (11 percent), with smaller percentages in a host of countries in the same region. US and UK victims represented fractions of 1 percent of those targeted.
The most extraordinary thing about NetTraveler is probably not its sophistication because its design, operation and habit of trying its luck using older vulnerabilities mark it out as anything but. It’s simply the length of time it’s been stealing data without being identified, most of a decade and certainly since 2005.
“Based on collected intelligence, we estimate the group size to about 50 individuals, most of which speak Chinese natively and has knowledge of English language,” said Kasperky Lab’s researchers in their analysis.
“Although not very advanced, the NetTraveler attackers have successfully compromised hundreds of targets around the world, with the highest number in Mongolia, India and Russia.”
Whatever its origins, NetTraveler sounds similar in ilk to another piece of APT-like malware discovered by Kaspersky Lab earlier this year, Red October. Although more recent, that too targeted a similar list of countries and organisations with an equally impressive success rate.