An ongoing series of targeted online attacks against government agencies has compromised nearly 1,500 computers in 61 different countries, and is now being traced back to servers in the United States and the United Kingdom.
The attacks, collectively known as "Lurid," have already hit government ministries, space-related government agencies and diplomatic organizations primarily in Russia, Kazakhstan, Ukraine and Vietnam, the security firm Trend Micro wrote. Lurid compromised a total of 1,465 computers and launched more than 300 targeted attacks. Trend Micro has identified 47 targets so far.
Trend Micro did not reveal what types of data the attacks sought, but researchers were able to determine that the cybercriminals attempted to steal documents and spreadsheets from the targeted agencies.
These types of "spear-phishing" campaigns such as Lurid typically involve emails addressed to specific recipients, written to trick the victims into opening corrupt attachments by convincing them the messages are legitimate.
Spear-phishing emails are a main component of advanced persistent threats (APT), a type of long-term, stealthy cyberattack usually linked to state-sponsored hackers. The devastating breach at security-token maker RSA, the subsequent network intrusion at defense contractor Lockheed Martin and the "Operation Aurora" attacks, which hit Google, Yahoo, Morgan Stanley and about 200 unnamed American firms, were all APT attacks widely believed to have been carried out by Chinese hackers.
Lurid, however, is different, researchers say. The targeted countries were mostly once part of the former Soviet bloc. The 10 active IP addresses used to control the attacks include one located in the U.S. and another in the U.K., Trend Micro's Rik Ferguson told the British tech blog The Register.
However, as with the presumably Chinese attacks, this isn't conclusive proof that the U.S. or British governments were responsible for any international targeted cybercrime.
"As is frequently the case, it is difficult to ascertain who is behind this series of attacks because it is easy to manipulate artifacts, e.g. IP addresses and domain name registration, in order to mislead researchers into believing that a particularly entity is responsible," the Trend Micro researchers wrote.