Blue Termite hacking group tunnels into Japanese pension service


A suspected Chinese hacking group has targeted the Japanese Pension Service resulting in the theft of a million personal records; and the Blue Termite group appears to remain actively targeting other Japanese business and government sites.

The fallout from The Hacker Group breach continues to bring bad news to businesses the world over. The latest threat to emerge, which is using a leaked zero-day exploit from The Hacker Group breach, comes in the form a cyber-espionage campaign by a group that has been dubbed Blue Termite.

The hacking outfit, suspected although not yet proven to be Chinese-based and potentially state-sponsored, has been active since 2013 but most recently has been using a Flash Player zero-day (CVE-2015-5119) to good effect. According to researchers at Kaspersky Lab the advanced persistent threat (APT) group has so far hit Japan’s Pension Service along with technology firms across a broad spectrum of industries including automotive, chemical, communications, electrical, food, finance, medical, robotics and semiconductor.

Researchers from the Global Research and Analysis Team at Kaspersky Lab think that this is the first ongoing cyber-espionage APT attack to focus solely on Japanese targets and is, they say, a “large and sophisticated cyber-espionage campaign.”

Part of that sophistication can be found in the methodology being used for the infection vector of the attacks. Up until the details of The Hacking Group breach were published, over a period stretching back the best part of two years, Blue Termite was pretty set in its social engineering ways; spear-phishing emails ruled the day. Then, from July this year, that leaked Adobe Flash zero-day took over, and Blue Termite managed to successfully compromise numerous Japanese websites to perform drive-by downloads of malware.

This skill level can also be seen in the dropped payload itself, a backdoor capable of stealing login credentials as well as dropping further payloads on the infected machine.

This, IT Security Thing understands, has led to a rather significant spike in the infection rate from that point forward. What is interesting is the sheer sophistication of the attack methodology. Rather than just leave those sites infected and the malicious payload dropped onto anyone who happens to visit, it would appear that Blue Termite took the unusual step of including a script to filter out any visitors that didn’t arrive from a specific Japanese organisation by way of only initiating the drive-by download if the visiting IP matched the scripted one. This method of ensuring only specific targets will be hit is not unique, but it is uncommon and takes a certain level of technological resource beyond many ‘hit and hope’ hackers out there.

This skill level can also be seen in the dropped payload itself, a backdoor capable of stealing login credentials as well as dropping further payloads on the infected machine. What’s so sophisticated about that you say? How about the fact that Kaspersky Lab notes “each victim is supplied with a unique malware sample that is made in such a way that it could only be launched on a specific PC, targeted by the Blue Termite actor” for starters?

This makes it very difficult, although obviously not impossible, for security research teams to detect or analyse the malware. Not that it stopped Kaspersky Lab researchers who found some language artefacts such as technical documents and the command and control server interface that point towards the Chinese connection.

“Since early June, when the cyberattack on the Japan Pension Service started to be widely reported, various Japanese organisations would have started to deploy protection measures. However, the attackers from Blue Termite, who might have kept a close eye on them, started to employ new attack methods and successfully expanded their impact” Suguru Ishimaru, a junior researcher at Kaspersky Lab, says.