The ongoing fraud campaign is reported to be netting between US$3 to $5 million in fraudulent revenue per day. The operation was discovered in September 2016 and uses a massive botnet spoofing thousands of name brand domains.
The attack focused on targets in Saudi Arabia and the malware used was programmed to wipe the hard disk of the infected computer. Legitimate credentials were used to spread the malware across the network and to start the destruction on November 17, 2016. The components used in the attack are similar to ones used in the original Shamoon attacks that were discovered in 2012.
The malicious software behind the campaign mainly focuses on the Aerospace, Defense Contractor, and Manufacturing sectors in the United States and South Korea. The threat actors behind the operation use a variety of techniques to steal sensitive information.
The threat actors suspected of being behind the campaign are known to use a range of tools to carry out their cyber espionage attacks. The operation has been active for a number of years and is focused on data exfiltration.
The DDOS attack against DNS provider Dyn is reported to be the largest to date, with an estimated load of 1.2 terabits per second. The attack took place on October 21, 2016 and was carried out by millions of IoT devices infected with the Mirai malware.
The campaign uses Revive and OpenX open-source advertising servers as gates to distribute malware. Operation ShadowGate was first discovered in 2015 and has used multiple exploit kits in its attacks.
A modular cyber-espionage platform that uses customized techniques and tools to remain hidden. ProjectSauron is known to target multiple entities including government, research centers, military operations, telecommunication providers, and financial companies located around the world. The main focus of the attack campaign is to exfiltrate documents, keystrokes, and encryption keys.
The campaign targeted the technology and financial sectors and used the software supply chain of a third-party editing tool to infect specific computers at the organizations.
The attack campaign has been active since at least 2015 and focuses on the energy sector. The group behind the attacks gain access to the systems to learn how the victims operation works. From industry research the campaign is believed to be the work of the same actor who was behind the original DragonFly operation.
The campaign was first discovered in late 2016 and targets multiple sectors located around the world. The threat actors behind the operation are known to use off-the-shelf tools such as Nmap, FreeRDP, NCat, and NPing.