DOD, DHS expose hacking campaign in Russia, Ukraine, India, Malaysia

Written by

The Department of Defense and the Department of Homeland Security are calling out an unspecified “sophisticated cyber actor” Thursday for using malware to launch cyberattacks against targets in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine.

The malware, which the military’s Cyber Command has dubbed “SlothfulMedia,” is an information-stealer capable of logging keystrokes of victims and modifying files, according to an analysis shared early with CyberScoop. The agencies shared the malware sample on the malware-sharing repository on VirusTotal Thursday afternoon.

The malware “is in use in successful ongoing campaigns,” a Cyber Command spokesperson told CyberScoop. The DOD and DHS did not say what threat group or nation-state might be running the malware campaign. The report does not mention specific targets, either.

It’s the latest Pentagon effort to expose malware used by well-resourced hackers around the world. Cyber Command, which first began exposing state-backed hacking campaigns by sharing malware samples with the public in 2018, has previously exposed foreign nation-state hacking in its public releases, including operations from North Korea, Russia, Iran, and China.

Chinese government-linked hackers have previously targeted Malaysian and Indian entities, according to cybersecurity researchers, while Russian hackers are known to run cyber-espionage operations against targets in Ukraine, Kazakhstan, and Kyrgyzstan. Chinese attackers are also reported to hack targets in Kazakhstan. Cyber Command did not immediately return request for comment on attribution.

The Cyber Command’s Cyber National Mission Force (CNMF) and DHS’s cybersecurity agency, the Cybersecurity and Infrastructure Security Agency, jointly analyzed the malware, according to the report.

The DOD-DHS effort to expose the malware comes as the federal government is working to overhaul its efforts to hold foreign government-linked hackers accountable. The deputy assistant director of the FBI’s Cyber Division, Tonya Ugoretz, told CyberScoop last month, for instance, that the bureau’s new cyber strategy is focused on better blending efforts between agencies across the federal government to impose costs on adversaries, whether that means the feds sanction hackers, opt for a military response — such as this Cyber Command and CISA analysis released Thursday — or indict hackers through the criminal justice system.

A Cyber Command spokesperson told CyberScoop it was releasing the information Thursday in part because the campaign was ongoing, adding the government hopes the information will help enhance network defenses against the malicious hacking operation.

The malware deploys two malicious files against targets, according to the joint Cyber Command Cyber National Mission Force (CNMF) and DHS. One of the files deployed, a remote access trojan (RAT), is capable of capturing screenshots, modifying files on victim machines, terminating processes, and running arbitrary commands, according to the Malware Analysis Report. The RAT, labeled mediaplayer.exe, also appears to communicate with an attacker controlled command and control server via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP). The second file deletes the RAT.

The hackers also create a service to establish persistence even when targets reboot, according to the DOD and DHS report.