Skip to content ↓ | Skip to navigation ↓

A computer espionage gang has sent a rival advanced persistent threat (APT) group a spear phishing email in what might be the first reported instance of an APT-on-APT attack.

In February of last year, Naikon, one of the most active APT groups in the Asian region, launched a spear phishing email campaign. Another APT group, Hellsing, was one of its targets.

Hellsing is a relatively small threat actor that mainly attacks targets based in the South China Sea, with a special emphasis on Malaysia, the Philippines, and Indonesia. According to Kaspersky Lab researchers, the group has thus far targeted approximately 20 organizations using spear phishing emails that contain malicious attachments. These attachments come with a custom backdoor that the group, in turn, exploits by uploading malicious files onto a victim’s computer.

A deeper analysis of the APT group has revealed that some of the infrastructure used by Hellsing appears to overlap with two other APT groups: PlayfullDragon (aka “GREF”) and Mirage (aka “Vixen Panda”).

Upon receipt of Naikon’s spear phishing email, Hellsing made an effort to verify the legitimacy of the email prior to opening the attachment. Naikon confirmed the message’s legitimacy in an email to Hellsing, but the group was apparently dissatisfied with the response. Only a few days later, Hellsing sent Naikon a spear phishing email of its own.

“The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting-‘Empire Strikes Back’ style, is fascinating,” Costin Raiu, director of Global Research and Analyst Team at Kaspersky Lab, said in a press release.

“In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack.”

Hellsing’s message to Naikon apparently came with a directory attachment that contained a malicious screen saver file in an RAR archive file.

“We’re now in a world where nation-state APTs are fighting each other in counter-intel and intel-gathering mechanisms,” Raiu went on to explain. “Obviously, the goals are attribution: they want to know who’s trying to infect me and what’s been stolen or what can be stolen from my country or [from] my neighbors.”

To protect themselves from APT groups in general, including Hellsing and Naikon, users should not open suspicious attachments, and they should take special care to make sure their operating systems and third-party applications are updated.