New spyware detected targeting firms in Russia, China: Symantec

Send a link to a friend  Share

[August 08, 2016]  By Eric Auchard

FRANKFURT (Reuters) - A previously unknown group called "Strider" has been conducting cyber-espionage attacks against selected targets in Russia, China, Sweden, and Belgium, U.S.-based computer security firm Symantec Corp said on Monday.

The group, which has been active since at least October 2011 and could have links to a national intelligence agency, has been using an advanced piece of hidden malware identified by Symantec as Remsec (Backdoor.Remsec), the company said in a blog post.

Remsec spyware lives within an organization's network rather than being installed on individual computers, giving attackers complete control over infected machines, researchers said. It enables keystroke logging and the theft of files and other data.

Its code also contains a reference to Sauron, the all-seeing title character in The Lord of the Rings trilogy, Symantec said. Strider is the name of another leading character in the fantasy novels.

Despite headlines that suggest an endless stream of new types of cyber-spying attacks, Orla Fox, Symantec’s Dublin-based director of security response told Reuters the discovery of a new class of spyware like Remsec is a relatively rare event, with the industry uncovering no more than one or two such campaigns per year.

Strider's targets include four organizations and individuals located in Russia, an airline in China, an organization in Sweden and an embassy in Belgium, the security company said.

"Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation state-level attacker," Symantec said, but it declined to speculate about which government or governments might be behind the software.

[to top of second column]

A padlock is displayed at the Alert Logic booth during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker

Meanwhile Moscow-based cybersecurity research firm Kaspersky Lab confirmed that it has also detected the same spyware and will publish further details of its findings later on Monday. It has dubbed the group behind it "ProjectSauron".

Remsec shares certain unusual coding similarities with another older piece of "nation state-grade" malware known as Flamer, or Flame, according to Symantec.

Flamer malware has been linked to Stuxnet, a military-grade computer virus alleged by security experts to have been used by the United States and Israel to attack Iran’s nuclear program late in the last decade (http://reut.rs/2b2FA8z).

Further details can be found at http://symc.ly/2aTHoOm

(Editing by Greg Mahlich)

[© 2016 Thomson Reuters. All rights reserved.]

Copyright 2016 Reuters. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Back to top