The ongoing fraud campaign is reported to be netting between US$3 to $5 million in fraudulent revenue per day. The operation was discovered in September 2016 and uses a massive botnet spoofing thousands of name brand domains.
The attack focused on targets in Saudi Arabia and the malware used was programmed to wipe the hard disk of the infected computer. Legitimate credentials were used to spread the malware across the network and to start the destruction on November 17, 2016. The components used in the attack are similar to ones used in the original Shamoon attacks that were discovered in 2012.
The campaign consist of multiple gate domains using name servers registered through FreeDNS to distribute various ransomware. The operation started in early 2016 and has consisted of multiple websites compromised by exploits kits. Visitors of compromised legitimate websites are redirected to the gates which in turn direct the victims to landing pages containing the malicious code.
The ransomware attack against the rail system's computer system resulted in free rides for customers in late November 2016. The ransomware used, HDDCryptor, rewrites a computer's Master Boot Record boot sectors resulting locked PC's and a ransom note once the computer is rebooted. The threat actor behind the rail system attack demanded approximately USD $73,000 for the decryption key.
The DDOS attack against DNS provider Dyn is reported to be the largest to date, with an estimated load of 1.2 terabits per second. The attack took place on October 21, 2016 and was carried out by millions of IoT devices infected with the Mirai malware.
A modular cyber-espionage platform that uses customized techniques and tools to remain hidden. ProjectSauron is known to target multiple entities including government, research centers, military operations, telecommunication providers, and financial companies located around the world. The main focus of the attack campaign is to exfiltrate documents, keystrokes, and encryption keys.
The campaign was first discovered in late 2016 and targets multiple sectors located around the world. The threat actors behind the operation are known to use off-the-shelf tools such as Nmap, FreeRDP, NCat, and NPing.
One of the primary tools leveraged in Operation Dragonfly is the Havex RAT. Targeting industrial control systems owners.