Security Market Segment LS
Tuesday, 30 June 2020 21:20

Bitdefender identifies state-sponsored cyber criminal enterprise, StrongPity Featured


Cyber security researcher and tools provider, Bitdefender, today publicly released its discovery of a sophisticated and dangerous cybercriminal enterprise named StrongPity which it believes to be government-sponsored and working at population surveillance and intelligence exfiltration.

The StrongPity attacks have been aggressively targeting victims in Turkey and Syria and expanding globally. Bitdefender researchers believe these are government-sponsored based on the severity and sophistication of the attacks.

StrongPity is also known as Promethium and is a threat group assumed active since at least 2012. Information was first reported in October 2016 with details on attacks against users in Belgium and Italy.

In 2018 the attackers shifted their focus elsewhere, compromising Turkish telecommunication companies to target hundreds of users in Turkey and Syria.

Bitdefender researchers believe these attacks are government-sponsored and are used for population surveillance and intelligence exfiltration, and further, they are used as support for the geopolitical conflicts in the region.

StrongPity's preferred injection vector is a watering hole technique which delivers malicious version of legitimate installers to certain targets. By monitoring this threat closely Bitdefender’s researchers have managed to investigate it from several angles which include the technical setups of command and control servers as well as insight into the victim’s profile.

Bitdefender states most of the targets are located in Istanbul and the area of Turkey close to the Syrian border, via the use of a pre-defined IP list. The researchers believe the attacker is interested especially in the Kurdish community and sees the threat as relevant to the Turkey and Kurdish conflicts.

The samples used in one of the attackers’ campaigns have timestamps starting October 1st 2019, coinciding with the launch of the Turkish offensive into north-eastern Syria, code-named Operation Peace Spring. Bitdefender says there is no direct forensic evidence suggesting StrongPity operated in support of Turkish military operations, however the victim’s profile coupled with the timestamps on the analysed samples may indicate a relationship.

Bitdefender also identified a three-tiered command and control infrastructure for covering the cybercrime group’s tracks and thwarting forensic investigation., and found the existence of fully-working Trojan versions of popular tools that have been compiled during the ordinary working hours of 9 am to 6 pm UTC +2. This deepens Bitdefender’s belief StrongPity is a sponsored and organised developer team paid to deliver certain projects.

Bitdefender identified servers which serve the poisoned installer used in the initial compromise, and servers for exfiltrating information and interacting with the victim devices. The regular, untouched, installer was made available if the user’s IP address was not in the pre-defined IP list StrongPity was targeting.

These poisoned applications span many common and well-known applications including archivers, file recovery applications, remote connections applications, utilities, and even security software.

Once a device is compromised payload components pertaining to persistency, command and control communication and file searching are all deployed on the machine. Based on instructions the exfiltration component runs a file searching mechanism responsible for looping through drives looking for files with specific extensions. If found they are placed in a temporary zip archive, split into hidden .sft encrypted files, sent to the command and control server then ultimately deleted from disk.

Bitdefender has summarised the findings of its research in a whitepaper titled StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure. The company states an up-to-date list of indicators of compromise is included in its Bitdefender Advanced Threat Intelligence products.

Bitdefender says StrongPity's infection success rate is alarming, warning the potential risk that exists for Australia if ever Australian organisations were added to StrongPity’s IP address range list. If this occurred attackers are capable of commanding and controlling communication, exfiltrating sensitive data and then deleting all information to cover their tracks.

Read 2460 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News