The cyber-war just got dirtier. A year or two back, an age in cyber-years, even the most ruthless cyber-gangs avoided attacking medical facilities to create a better public image in the eyes of the hacker community. Their stance has weakened somewhat since then, with attacks on the health sector becoming more common. But a recent attack on the US Red Cross is unusual enough to ring alarm bells outside the cybersecurity community.
While conducting their daily threat-hunting operations, cybersecurity firm NSFOCUS Security Labs very recently discovered a new attack process they had never seen previously. Intrigued, they discovered two new so-called “Trojan horse” programs designed to slip under the radar of known cybersecurity defenses.
“This attacker is quite different from known attacker characteristics in terms of the execution flow, attack technology stack, attack tools, implementation details, attack objectives, behavior tendency, and other main attribution indicators. The technical level and cautious attitude shown by this attacker during this activity are also worthy of attention,” reports NSFOCUS Security Labs.
No clue as to the attacker’s identity
Cybersecurity intelligence operatives can typically identify specific criminal gangs by their techniques and the software they deploy. But in this case, the researchers could not find anything to link the attack with any known cybercriminal group. With no clue to the attacker’s identity, the cybersecurity firm decided to name the threat actor “AtlasCross.”
AtlasCross designed a decoy document titled “Blood Drive September 2023.docm” with the United States Red Cross blood donation information as its topic. If the victim follows the prompt to enable macro functionality, the decoy document will display the hidden content. The hidden content is a promotional file of the United States Red Cross blood donation service, which contains a malicious code intended to siphon off the victim’s personal data. The effect of this crime is twofold as far as the Red is concerned. It deters US citizens from contacting the Red Cross, and it also causes the Red Cross significant reputational damage.
While the Red Cross scam may have been executed in a basement cellar by a solitary criminal genius, the level of skill and professionalism and the level of new software used in the crime point to another possibility. Potentially hostile nation-states such as China have been conducting well-orchestrated cyber campaigns to weaken critical Western infrastructure. Academia, aerospace, defense, government, media, telecoms, and research have all been targeted by China-backed hackers in the US, Europe, and Asia.
Given that blood-transfusion supplies can be as vital to a military conflict or state of emergency as bullets or power, organizations like the Red Cross may increasingly find themselves in the firing line from nation-state-backed cybercriminals bent on weakening the West’s critical infrastructure.
