America’s Evolving Cyber Army, Sowbug Target Diplomatic Targets & Fancy Bear Deliver Malware via DDE Tactic


The Future of Cyber Conflict – The Cycon 2017 conference is meeting in Washington DC over the next couple of days, which aims to discuss the key themes of current and future cyber threats that the US Army and NATO face. So far everyone seems to be in agreement of the growing importance of cyberspace being an operational domain and collaboration being key to the success of combating threats. Data is seen as the new key terrain compared to in the past when it would usually be something physical (i.e. a town or supply route). US Army Cyber Command’s Lieutenant General Paul Nakasone is working hard to push cyber capabilities forward to deployed forces in the form of Brigade Combat Cyber Teams, which work together with front line troops in providing a cyber angle to their ability to complete their missions. This is a clear sign of how the battlefield is changing and how cyber is being recognised as a front line asset.

Sowbug APT – Active since early 2015, a cyber espionage group that targets foreign policy and diplomatic organisations in South America and Southeast Asia┬áhas been revealed by Symantec. Using a piece of malware called Felismus, it is a Remote Access Trojan that has anti-analysis functions and self-updating routines, allowing it to upload/download files, executes files and shell command execution. The group is well resourced, capable of infiltrating several targets simultaneously and operates at all hours, indicating possible state backing. However, what Symantec cannot discover so far is how Sowbug performs its initial infiltration in a targets network. Some examples have shown previous compromised computers as the source whilst other tools such as Starloader might have been used. With the main focus of APT groups being normally US, Europe and Asia, it shows that there isn’t a region in the world that is immune to cyber attacks.

Fancy Bear at it Again – The APT group has begun targeting users by sending them Microsoft Word Documents with the Dynamic Data Exchange (DDE) utilised. DDE is a protocol for data exchange between Window applications that allows hackers to substitute macros in an infected Word document for DDE. The DDE technique has been around for a few months now, so it is not a surprise that other APT groups are picking up on the technique. In this example however, McAfee spotted Fancy Bear using documents referencing the recent New York Terrorist attacks and Saber Guardian (US military exercise) as a lure for victims.