The Poseidon misadventure: inside a targeted attack group


In the Poseidon Adventure movie, passengers aboard a cruise ship struggle to survive after a tidal wave strikes. Those enterprises hit by the Poseidon APT Group must know how that feels.

This global cyber-espionage and blackmail gang has been in operation for at least a decade, but only now has its existence and attack methodologies come to light.

The Poseidon cyberespionage group has, according to researchers from the Kaspersky Global Research and Analysis Team (GReAT), been a player in the targeted malware business since at least 2005. In fact, there’s reason to believe that Poseidon could have been testing the malware water for a few years even before then.

Poseidon is not a new threat actor then, far from it. What it is though, is a newly discovered threat actor. Although the individual malware samples it has used were detected over the years, by highly customising each targeted attack this prevented security researchers from joining the dots and linking seemingly disparate incidents.

What the Kaspersky researchers have done is complete the picture and reveal a single and rather dangerous actor in the shape of Poseidon.

Whether the Poseidon APT Boutique has been part of the threatscape for a decade or a decade and a half is by-the-by; the techniques it employed were less than pretty.

Poseidon would often retain “an illegitimate presence within the ‘secured’ system” and stay there undetected for years

The Kaspersky GReAT researchers report how Poseidon posed as a legitimate security business, but one whose business model relied upon stealing data which could then be used to blackmail the victims into becoming clients of the security contracting outfit.

This takes an old-school extortion racket concept and propels it into the cyber age. This shouldn’t really surprise anyone. After all, many DDoS attacks are actually just employing ‘protection racket’ tactics to extract cash from the victim.

“Pay us an insurance policy and we won’t take your business offline madam” rings as true using a SYN flood as, “wouldn’t it be a shame if your stock got broken love,” does from a clumsy oaf with a hammer in a china shop.

The point being, Poseidon wanted to get a foothold in the systems of their targets and leveraged that for an immediate cash gain in terms of contracted services. The gain, however, was also long term it would seem.

Poseidon didn’t simply take the hammer-wielding thug away when the insurance policy was paid in full, but rather installed him at strategically important points in the business. Kaspersky researchers discovered that Poseidon would often retain “an illegitimate presence within the ‘secured’ system” and stay there undetected for years on end.

As you can imagine then, Poseidon chose targets carefully. This was no ‘Mom and Pop’ operation targeting ‘Mom and Pop’ businesses. Instead, Poseidon had a fondness for the larger of enterprises where both the data to be exfiltrated and the contracts to be signed were of greater value.

What data is being targeted, beyond the infrastructure navigation requirement? Kaspersky points towards high value data such as proprietary and business-sensitive information in relation to investments and stock valuations. This is used primarily in terms of ongoing blackmail leverage it would seem.

As for the target organisations themselves, these enterprises appear to have been mostly located in Brazil, France, India, Kazakhstan, Russia, United Arab Emirates and the US. Interestingly though, no matter where the geographical location of the business or the national language spoken, the targeted systems would be restricted to English or Brazilian keyboard layouts only.

So how did such a successful group, which appears to have got away with it so well for so long, actually operate? Technically it must have been pretty advanced, right?

A better description would appear to be ‘well practised’ and ‘straightforward’ to be honest. Kaspersky reckons that there were no exploits during the initial penetration phases. Instead, Poseidon opted for the simple spear-phishing approach. Know your target, craft an email that will appeal, attach an infected DOC file and Robert is your mother’s brother.

Simple isn’t the same as not-clever, not well thought out, not executed to perfection though. For example, in order to get past whatever security defences were on guard the attached binaries would be signed with genuine certificates.

Genuine, that is, in as far as they were real ones which had been issued to unsuspecting organisations or sometimes fake companies. Obviously the former would add even more credibility to the scam.

Getting onto the target system was just the start for Poseidon, and was followed by an intelligence gathering data grab to plot the best routes through the infrastructure without triggering the alarm.

This research means that enterprises can apply mitigation strategies that can keep Poseidon at bay.  

Once Domain Admin rights had been obtained, Poseidon then removed the evidence that they were there and left only the bare essentials required to exfiltrate data and maintain a stealthy presence.

While the core infection tool used by Poseidon has evolved across the years from 2005, there are some code remnants which remain and mean that it can be identified as the same beast. A new animal, however, is the 15Mb executable known as the Information Gathering Toolkit (IGT) supertool.

Researchers have revealed that the IGT operates on Domain Controllers and IIS servers, is coded in Delphi and includes both powershell and SQL components across a dozen drops. It also includes other executables in C# and Visual Basic 6, each performing specific and detailed tasks.

Overall, the IGT is an information collecting, data exfiltrating and component clean-up package extraordinaire. It’s what enables Poseidon to customise its attacks so well.

At this point we should apologies for talking in the past tense as Poseidon isn’t a group that has been busted open, closed down and its members charged. Despite sinkholing a number of domains, Kaspersky admits that Poseidon remains a current and commercial (rather than state-sponsored) threat player.

The important, and somewhat reassuring, takeaway is that the work of those GReAT researchers means that we do, at least, know the attack methodology and the nature of the tools used. This research means that enterprises can apply mitigation strategies that can keep Poseidon at bay.

Of course, Kaspersky suggests that its own Endpoint Security for Business product is well suited, but truth be told any mature strategy that combines properly protected endpoints with a process of educating users, regarding social engineering techniques, should help keep the buggers out.