The StrongPity attacks have been aggressively targeting victims in Turkey and Syria and expanding globally. Bitdefender researchers believe these are government-sponsored based on the severity and sophistication of the attacks.
StrongPity is also known as Promethium and is a threat group assumed active since at least 2012. Information was first reported in October 2016 with details on attacks against users in Belgium and Italy.
In 2018 the attackers shifted their focus elsewhere, compromising Turkish telecommunication companies to target hundreds of users in Turkey and Syria.
Bitdefender researchers believe these attacks are government-sponsored and are used for population surveillance and intelligence exfiltration, and further, they are used as support for the geopolitical conflicts in the region.
Bitdefender states most of the targets are located in Istanbul and the area of Turkey close to the Syrian border, via the use of a pre-defined IP list. The researchers believe the attacker is interested especially in the Kurdish community and sees the threat as relevant to the Turkey and Kurdish conflicts.
The samples used in one of the attackers’ campaigns have timestamps starting October 1st 2019, coinciding with the launch of the Turkish offensive into north-eastern Syria, code-named Operation Peace Spring. Bitdefender says there is no direct forensic evidence suggesting StrongPity operated in support of Turkish military operations, however the victim’s profile coupled with the timestamps on the analysed samples may indicate a relationship.
Bitdefender also identified a three-tiered command and control infrastructure for covering the cybercrime group’s tracks and thwarting forensic investigation., and found the existence of fully-working Trojan versions of popular tools that have been compiled during the ordinary working hours of 9 am to 6 pm UTC +2. This deepens Bitdefender’s belief StrongPity is a sponsored and organised developer team paid to deliver certain projects.
Bitdefender identified servers which serve the poisoned installer used in the initial compromise, and servers for exfiltrating information and interacting with the victim devices. The regular, untouched, installer was made available if the user’s IP address was not in the pre-defined IP list StrongPity was targeting.
These poisoned applications span many common and well-known applications including archivers, file recovery applications, remote connections applications, utilities, and even security software.
Once a device is compromised payload components pertaining to persistency, command and control communication and file searching are all deployed on the machine. Based on instructions the exfiltration component runs a file searching mechanism responsible for looping through drives looking for files with specific extensions. If found they are placed in a temporary zip archive, split into hidden .sft encrypted files, sent to the command and control server then ultimately deleted from disk.
Bitdefender has summarised the findings of its research in a whitepaper titled StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure. The company states an up-to-date list of indicators of compromise is included in its Bitdefender Advanced Threat Intelligence products.
Bitdefender says StrongPity's infection success rate is alarming, warning the potential risk that exists for Australia if ever Australian organisations were added to StrongPity’s IP address range list. If this occurred attackers are capable of commanding and controlling communication, exfiltrating sensitive data and then deleting all information to cover their tracks.