This feature offers a very digested read of ESET’s trilogy of research papers on Sednit, one of the most notorious groups of cyberattackers in the world.
Sedit is one of the most notorious groups of cyberattackers operating in the world today. Active from at least 2004 – possibly earlier – it has unfortunately stepped up activity over the past two years, keen to hit its targets as hard as possible.
All too aware of this, ESET, a global leader in information security, has been relentlessly pursuing Sednit over this time, an exercise which has proved to be highly informative. This has resulted in a trilogy of papers, which details many aspects that are unique to the group.
This feature offers readers a very digested read of ESET’s findings, a sort of entry point into Sednit. However, we highly recommend you check out all three papers, which covers the group in fascinating detail:
- Part one: En Route with Sednit: Approaching the Target
- Part two: En Route with Sednit: Observing the Comings and Goings
- Part three: En Route with Sednit: A Mysterious Downloader
Part 1: Approaching the Target
Sednit’s main targets reveal a lot by way of the group’s motivations and how sophisticated they are. Consider the following targets:
- April 2015: TV5Monde, a French television network
- May 2015: The German Parliament
- March 2016: The American Democratic National Committee
From this we can infer two things. One, Sednit is more than confident in attacking high-profile targets; and two, its activities are connected to international geopolitics.
ESET was able to find the target list through uncovering a flaw in one of the group’s spearphishing campaigns. Sednit uses Bitly to shorten URLs used in targeted phishing emails. However, one of its account was mistakenly left public, meaning we could see all of the URLs that had been shortened.
They included individuals and organizations that had Gmail addresses, including embassies belonging to, among others, Algeria, Colombia, India, Iraq, North Korea, Kyrgyzstan and Lebanon; Ministries of Defense in Argentina, Bangladesh, South Korea, Turkey and Ukraine; journalists based in Eastern Europe; Russian political dissidents; and members of NATO institutions.
“Most of the targets we could identify are related by the fact that they all share the same standpoint in the current political situation in Eastern Europe.”
ESET noted that “most of the targets we could identify are related by the fact that they all share the same standpoint in the current political situation in Eastern Europe”.
When targeting such individuals and groups, Sednit uses two main attack methods to deploy its malicious software. The first is to persuade someone to open an email attachment. The second is direct them to a website that contains a custom exploit kit (which exploits flaws in a system/device). Most originate with a targeted phishing email.
What’s particularly interesting about Sednit is its ability to identify zero-day vulnerabilities. For example, in 2015 alone, the group was able to exploit six of these, demonstrating a high level of insight and skill.
ESET concluded: “Overall, the Sednit group is always looking for new ways to approach its targets, both with opportunistic strategies and by developing its own original methods.”
Part 2: Observing the Comings and Goings
Once Sednit has conducted reconnaissance into potential targets – using the Seduploader or Downdelph malware, for example – the group then deploys its espionage toolkit, which delivers long-term monitoring of compromised devices.
This is usually achieved through the use of two spying backdoors, Sedreco and Xagent, and then later via the network tool Xtunnel. Without a doubt, these three malicious applications are fundamental to understanding and detecting much of Sednit’s activities.
Of Xagent, which has versions for Windows, Linux and iOS, ESET noted: “It’s a well-designed backdoor that has become the flagship espionage malware of Sednit over the past few years. The ability to communicate over HTTP or via emails make it a versatile tool for the operators.”
With the flexible Sedreco, which is made up of a dropper and a persistent payload, ESET observed that this highly useful backdoor, used by Sednit for many years, has the ability to “register new commands dynamically” and is able to “load external plugins”.
Finally, Xtunnel, which modifies a compromised device and effectively transforms it into a network pivot, ESET concluded: “We believe it to be of high importance to Sednit operators.”
Part 3: A Mysterious Downloader
Indicative of its importance, the final whitepaper into Sednit is focused on Downdelph, a first-stage piece of malware which, despite its limited use by the cyberattackers, offers amazing insight into how the group approaches certain targets.
According to ESET’s telemetry data, it has only been deployed seven times, but, and here’s where it gets interesting, Downdelph has nevertheless been combined with a bootkit and a rootkit – otherwise known as advanced persistence methods. It might seem like a peculiar approach, yet it has proved to be extremely successful in allowing Sednit to operate under the radar.
Downdelph, named so because of the fact it is written in the Delphi programming language, tends to work as such: it downloads a main configuration file, extends the list of C&C servers, and then gathers a payload from each of them.
ESET concluded: “By rarely deploying it, Sednit operators apparently kept it out of the hands of malware researchers for almost two years, which, combined with advanced persistence methods, ensured that they were able to maintain the monitoring of selected targets over the long term.”