A shadowy cyber-espionage group that has operated in secret since at least 2015 has been exposed by researchers from Symantec this week (7 November). Analysis shows how it uses a new form of malware dubbed "Felismus" to launch targeted attacks on governments.
The hackers, codenamed 'Sowbug', were spotted conducting clandestine attacks and document thefts from foreign policy institutions, government bodies and diplomatic targets in South America and south east Asia – including Argentina, Brazil, Ecuador, Peru and Malaysia.
"The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations," a Symantec report said.
Security researchers said they first saw evidence of Sowbug activity in March this year, directed at an unnamed target located in Asia.
Using analysis of the Felismus malware, experts were able to connect earlier campaigns to the group – indicating that it had been operational for years.
Symantec said it is still not common to see South American countries targeted when compared to the US, Europe and Asia.
How the hackers gained a foothold in computer networks remains unknown, but researchers said that evidence suggested it has used fake, malicious software updates.
The unit appears to have used a tool called"Starloader" to deploy additional malware on victims' networks – for example credential-thieving software and keyloggers. Symantec said that Starloader files were spread as updates entitled AdobeUpdate.exe and AcrobatUpdate.exe.
In one attack from 2015, Symantec said the group searched for "very specific" government data. It attempted to exfiltrate all Word documents stored on a compromised server.
Sowbug, Symantec said in its report, likes to maintain a "long-term presence" on computers – and has been spotted lurking undetected on infected networks for months at a time.
"It gives its tools file names similar to those used by software and places them in directory trees that could be mistaken for those used by the legitimate software," the firm said.
The report continued: "This allows the attackers to hide in plain sight, as their appearance is unlikely to arouse suspicion.
"The attackers took further measures to remain under the radar by carrying out their operations outside of standard office hours.
"In this case, the attackers maintained a presence on the target's network for nearly six months between September 2016 and March 2017."
Often, groups of this nature are state-sponsored – well-funded and resourced by a government – but with origins that are almost always difficult to trace.