Swiss Political Party and Railways Targeted By Hackers

This week, we hear the latest on Swiss Political Party and Railways targeted by hackers and Chinese hacker group steals code-signing certificates.

Breach

Swiss Political Party and Railways targeted by hackers

Switzerland’s largest political party, the Swiss People’s Party (SVP) has confirmed an attack where nearly 50,000 emails, names and mailing lists were stolen from their online portal. Swiss Federal Railways (SBB) and several private Swiss companies were also attacked, reporting DDoS attacks that paralyzed their IT and telephone systems. The hacker group NSHC claimed responsibility for these attacks, but insisted they are a ‘grey hat’ organization and that the attacks were meant to display vulnerabilities and not to be malicious in any way. SVP Deputy General Secretary Silvia Bär claims “we are currently looking into what exactly happened and which data could have been affected.” Meanwhile, SBB acknowledges the attack and said that online timetable services were slowed, but critical online and rail systems had not been impacted. 

References: Hackers Target Swiss Railways, Political Parties and Retailers | Switzerland hit by series of cyberattacks as hackers expose security vulnerabilities | Hackers attack Switzerland’s largest party, claim huge personal data theft

Mitigation Strategies:

Malware

Chinese hacker group steals code-signing certificates

Chinese Advanced Persistent Threat group, ‘Suckfly’, has been using stolen Korean code-signing certificates to conceal their malicious activities for over 2 years, according to Symantec. Starting in early 2014, Suckfly used nine different stolen certificates from South Korean companies to make their large number of malicious tools, including keyloggers, credential dumpers, port scanners, and back doors, seem like legitimate software. Symantec did not become aware of this activity until late 2015, when one of their clients was attacked with a brute force server message block scanner that was signed with a certificate. Symantec managed to follow the trail Suckfly had left to trace them back to three IP addresses in Chengdu, China.

Signed malware is becoming more common, as Internet and security systems have moved away from downloading untrusted software. Symantec warns companies to guard their certificates in order to avoid being tied to malicious activity.

References: ‘Suckfly’ in the ointment: Chinese APT group steals code-signing certificates | Cyber espionage groups grow more insidious

Mitigation Strategies:

Top 20 IP Addresses

223.234.142.127 81.183.56.217
46.109.168.179 118.170.130.207
188.118.2.26 188.120.254.113
114.44.192.128 103.242.190.57
123.168.123.28 123.249.0.151
87.222.67.194 80.82.65.219
94.242.246.40 162.213.152.216
94.242.253.11 14.113.3.108
103.245.156.222 107.178.149.194
189.76.82.234 93.170.122.30

*IP addresses provided by Recorded Future.