There have been countless cyber espionage groups that have gone under the radar for years, such as PittyTiger, Elfin, Equation Group and many more. According to DataProt, “…stealing data from governments, companies or individuals is more common than you would think, with more than a quarter of all cybercrime activities classified as espionage. Manufacturing, education and public administration all hold invaluable data when it comes to espionage, which is why they are targeted most often.”
PittyTiger wasn’t invisible for as long as Elfin or the Equation Group; however, this group did go undetected for at least three years. Some cybersecurity experts have said that PittyTiger might have been active since 2008, but others have said that they have been active since at least 2011 and were discovered in 2014.
Who is PittyTiger?
The name PittyTiger can both reference an advanced persistent threat group (APT 24) or one of the malwares that the group was known to use during attacks. This group was discovered by Airbus Defense and Space, a European specialist in cybersecurity, in July of 2014.
According to the Airbus Defense and Space report, due to the tools used in the attacks, they believe that the group originated in China. Several Chinese vulnerability scanners, 8uFTP and a Chinese version of calc.exe were used in the attacks. The controllers of the CT RAT and PittyTiger RAT that were used in the attacks show Chinese language. The report also stated, “Several binaries used by the attackers show either “Chinese – China” or “Chinese-Taiwan” language ID in their resources. A decoy Word document has been found, written in Chinese language. The IP addresses used for the hosting of the C&C domains are mainly located in Taipei (Taïwan) and Hong Kong City (Hong Kong Special Administrative Region, PRC).”
According to Mandiant, “PittyTiger targeted a wide variety of industries, including organizations in the government, healthcare, construction and engineering, mining, nonprofit and telecommunications industries. This group is known to have targeted organizations headquartered in countries including the U.S. and Taiwan.” The exfiltrated data that PittyTiger obtained mainly focused on documents with political significance, signifying their intent was to monitor the positions of various nation states on issues relevant to China’s ongoing territorial or sovereignty dispute.
How did the attacks work?
Mandiant’s report also included that PittyTiger used phishing emails that had military, renewable energy or business strategy themes as bait. “Further, APT24 engages in cyber operations where the goal is intellectual property theft, usually focusing on the data and projects that make a particular organization competitive within its field.”
According to a SecurityWeek article, in a 2014 attack against a French company, the attackers sent out emails written in English and French that seemed to come from someone within the targeted organization. The malicious messages carried Microsoft Word documents that held a first-stage payload by exploiting both old and new vulnerabilities affecting the Microsoft Office suite.
Once infected, the Trojan would send data from the compromised device back to its command and control (C&C) server. Then, it downloads the second-stage malware. PittyTiger used several pieces of malware over the years, such as PoisonIvy during 2008 and 2009, PittyTiger during 2012 and 2013, as well as Backdoor.APT.Lurid, variants of Gh0st RAT, ENFAL and TAIDOOR. The malware is capable of taking screenshots, uploading and downloading files and providing a remote shell.
According to Airbus, mapping the victims of such a targeted campaign is not easy. They found PittyTiger very active against one particular private company from the defense industry and one academic network of a government, yet Airbus thought it was done to be used as a substitution for some of the group’s operations. “We have also found some connections from other companies to the C&C servers, yet we did not find evidence that they were real victims. These supposed victims do work in different sectors and are located mostly in European countries.”
Why does this matter?
The mentality of “it’s not if, it’s when” is often applied to cybersecurity attacks. The same mentality can be applied to espionage campaigns — someone could already have been in a compromised system for years before being discovered. Making sure that a company’s cybersecurity hygiene is up to date on all patches and upgrades is one way of protecting one’s systems.
Statistically, manufacturing, education and public administration are all more likely to be hit with a cybersecurity attack, which should emphasize the importance of having the proper cybersecurity training and best practices in place.