How closely should security vendors work with law enforcement?
Kaspersky Lab has said that its research team has identified Poseidon Group, an entity that uses malware and extortion-like tactics to coerce victims into contracting it as a security firm.
In its announcement, Kaspersky said that the coercion comes from data that the company, which is actually a commercial entity steals through custom malware designed to run on both English and Brazilian Portuguese Windows machines. The bilingual aspect, apparently, is new among targeted attacks.
According to Kaspersky, Poseidon Group uses spear-phishing emails with Rich Text Format or Doc files, often with a human resources lure, that instal malicious code onto a machine once opened.
Once infected, the malware then reports to command and control, spreads, and begins to aggressively collect data including credentials, management policies, and even system logs for easier execution of additional malware.
The challenge here was that several security vendors had reported “fragments” of Poseidon’s activities over the years but nobody had ever connected the dots, Kaspersky told CDN in an email.
“[This was] perhaps because many of these campaigns were designed to run on specific machines, using English and Portuguese languages, with diverse command and control servers located in different countries and soon discarded, signing malware with different certificates issued in the name of rogue companies, and so on,” the company wrote. “By carefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a single group operating since at least 2005, and possible earlier, and still active on the market.”
However, Kaspersky stopped short of identifying members of the group. It was unclear at the time of publication what personally identifiable information the security company had on Poseidon and what it planned to do with it, such as turn it over to authorities.
In other words, they connected the dots, but so what?
Of course, in linking the attacks and some 35 victims who span various verticals in the U.S., France, Kazakhstan, United Arab Emirates, India, Russia and Brazil, Kaspersky revealed the scope of the group’s operations and removed some degree of its anonymity. Security vendors have also been called upon by law enforcement for their aid – in 2014, Kaspersky Lab signed agreements with both INTERPOL and Europol to expand collaboration in fighting cybercrime.
Yet part of the problem in this case may be that Poseidon’s actions are legally ambiguous.
“This type of extortion is not new and we suspect that the group went this route because although the tactic is shady, it is still technically legal,” Kaspersky said. “At this time, we are reaching out to victims of active infections to offer remediation assistance, IOCs, and our full intelligence report to help them counteract this threat.”
Nevertheless, Lenovo’s SuperFish adware snafu had little to do with legality, and everything to do with public awareness and outrage.
In Kaspersky’s own words, even after being contracted, Poseidon “may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation.”
What are your thoughts on Kaspersky’s obligations from here on out? Let us know in the comments.