A new advanced persistent threat (APT) has burst on the scene, dubbed “Patchwork.”
Patchwork has infected an estimated 2,500 victims since it was first observed in December 2015, according to Cymmetria. However, there are indications of activity as early as 2014.
The firm found that the threat actors behind the campaign have targeted victims worldwide, including in the United States, Europe, the Middle East, South Asia and APAC entities—mostly governments and government-related organizations. Cymmetria also concluded that the targets were concentrated on personnel working on military and political assignments.
“Deception technology enables us to capture threats quicker, and more importantly discover their later stage toolset and lateral movement activity, which are often missed as they are deployed only once an attacker already succeeded in an organization and wants to achieve a permanent foothold,” said Gadi Evron, CEO and founder of Cymmetria, in an analysis.
The report also indicates the threat actor is possibly of Indian origin. Unlike China or other notable APT actors, India has remained a relatively quiet locale for cyber espionage activity.
An interesting aspect of the threat actor’s operations is the low technological capability the campaign displays, in direct contradiction to its impressive success. Patchwork received its name due to its authors drawing significantly on code from online forums, GitHub and the Dark Web to build the malware and attack toolsets.
“The most interesting challenge was catching the second stage malware which the attacker only deploys once they feel they require persistence and their risk of capture is low,” said Dean Sysman, CTO and co-founder of Cymmetria. “This was an advanced MazeRunner deception campaign which needed to be carefully crafted.”
Photo © Mikadum