Symantec Security Response
Symantec Security Response
Bachosens: Highly-skilled petty cyber-criminal with lofty ambitions targeting large organisations
Eastern Europe based attacker’s advanced malware comparable with that used by nation-state actors, but basic missteps indicate a threat actor who is skilled but lacking in expertise
In attacks reminiscent of the early days of malware, a lone wolf threat actor who appears to be based in a disputed part of eastern Moldova is using advanced malware to carry out cyber attacks against large organisations for relatively modest rewards. The malware in question, Trojan.Bachosens, was so advanced that Symantec analysts initially thought they were looking at the work of nation-state actors. However, further investigation revealed a 2017 equivalent of the hobbyist hackers of the 1990s — the only difference being this hacker wasn’t out for bragging rights. He was out for financial reward.
Big weapon, small rewards
This lone wolf attacker — who we call Igor — is not an average cyber-criminal aiming to infect as many victims as possible. Rather, he has been carrying out highly targeted attacks on specific organisations.
Igor developed a specialised tool, a piece of malware called Bachosens, to gain access to at least two large organisations, an international airline and a Chinese auto-tech company. Symantec believes that Igor planted the malware through the use of spear-phishing emails, a tactic typically employed by nation-state actors.
What do we know about this attacker?
Symantec believes he may be based in the town of Tiraspol in eastern Moldova. Officially, Tiraspol is the second-largest city in Moldova, but it is also the capital of the self-declared republic of Transnistria, which is not recognised as an independent state by the UN.
The dominant language in Transnistria is Russian, and there were Russian strings used in the Bachosens malware, and communication with the C&C server uses what appears to be the Russian equivalents of size suffixes for KB, MB, GB, and TB. This indicated to researchers that the individual behind this malware was likely Russian speaking.
The level of information the attacker knowingly or negligently revealed about himself online gave us high confidence that he is an individual involved in the auto industry who is based in this part of Eastern Europe.
Petty cyber-crime still exists
While we have gleaned a lot of information about this attack, much of this attacker’s activity remains a mystery, such as the motivations behind some of his activity, and where he may have acquired the skills to create such sophisticated malware, while clearly demonstrating lack of expertise in other areas.
However, this activity does show us that while nation-state actors and organised cyber-crime gangs carrying off big heists may be what grabs headlines, there are still lone wolf attackers out there making a comfortable living from cybercrime