DarkPulsar Used in Attacks on Aerospace and Nuclear Industry

Delaware, USA – October 23, 2018 — Last year, the Shadow Brokers group stole a number of hacking tools and exploits from the Equation Group associated with the NSA, and some of them were disclosed to the public. The most serious and noticeable consequences came from the publication of the EthernalBlue exploit and the subsequent WannaCry and NotPetya outbreaks. Researchers from Kaspersky Lab analyzed revealed malware and found that cyber espionage tools were used against at least 50 victims related to nuclear energy, telecommunications, IT and aerospace. The actual number of victims is unknown since the main operations were stopped after the publication of tools which are capable to remove all traces of their activity. DarkPulsar was used in combination with the FuzzBunch exploit framework, which served to install malware on compromised systems. Shadow Brokers published only the administrative part of the DarkPulsar backdoor, but its analysis allowed researchers to create content to detect its main module. Malware is able to run arbitrary code and install additional malicious modules to monitor and exfiltrate data from the infected systems.

At the moment it is not known, traces of whose operations have been discovered by Kaspersky Lab, the Shadow Brokers or Equation Group, but leaked hacking tools and exploits still pose a serious threat to organizations. It is possible to detect such sophisticated attacks with APT Framework analytical bundle for SIEM that monitors the company’s infrastructure constantly and detects malicious activity by tracking the frequency and distribution of events across the Lockheed Martin Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework-arcsight