Goblin Panda, Flying Kitten and CyberBerkut may sound like the lineup of a particularly esoteric music festival, but according to online security firm CrowdStrike, they were three of the most prominent cyber threats in 2014.
The company’s annual Global Threat Intel Report identifies activity from 39 different groups in the last year, dividing them into four categories: criminals, hacktivists, state-sponsored groups and nationalist adversaries.
The names may raise a smile, but their activities are entirely serious, targeting companies and individuals with a range of threats, from malware to hacking foreign websites for propaganda purposes.
“Western businesses and enterprises need to know that there are serious bad guys in North Korea, China, Iran, Russia and other countries working tirelessly on ways to get around our defenses to steal intellectual property, disrupt business and even destroy,” said CrowdStrike’s vice president of intelligence Adam Meyers as the report was published.
Goblin Panda made Vietnam the most-targeted country according to CrowdStrike’s research, with the group’s activities – fuelled by “tensions in the South China Sea” – including spear phishing attacks attempting to install malware on victims’ computers, often using decoy documents.
“The content of these decoys often came from documents produced by Vietnam’s government, which indicates that the adversary possibly infiltrated the government’s network and was using stolen documents in its operations,” claims the report.
Flying Kitten is a group thought to be based in Iran, with CrowdStrike identifying its campaign to target a defence company in the US in early 2014 with fake websites trying to get people to give away their credentials, then download malware.
“Shortly after this activity was identified, other campaigns against additional targets in the defence and aerospace sectors were observed,” explains the report, which notes that Flying Kitten also targeted Iranian dissidents elsewhere in the world.
CrowdStrike also tracked the activities of a separate group, Charming Kitten, which spent 2014 using fake profiles on social networking sites to ensnare its targets in the US government, as well as the defence industry.
“Credential collection occurred through spoofed websites meant to appear as if they were legitimate sites such as YouTube. When victims clicked on the log in link, they were redirected to a different website that prompted them to enter credentials for harvesting by the adversary.”
The report also highlights activity by CyberBerkut, a “self-proclaimed nationalistic hacking group” that attacked the interim government in Ukraine in 2014, while also distributing pro-Russian propaganda online and encouraging distributed denial of service (DDoS) attacks on Ukrainian websites.
“These attacks were likely directed by Russian state services, with the CyberBerkut hacktivists providing a layer of plausible deniability,” claims CrowdStrike. “Several of the DDoS attacks against Ukraine’s Central Election Commission (CEC) coincided with Russian state media broadcasts, further suggesting coordination at the state level.”
The report also highlights the activities of groups including pro-Syrian Deadeye Jackal and western, game-oriented DerpTrolling and LizardSquad – as well as noting that specific events including the World Cup and the loss of two Malaysia Airlines flights also spurred flurries of cybercriminal activity.
