Philippine Military Being Targeted by Cyber Criminals, Warns Trend Micro

In its latest research, Trend Micro names the Philippine Military as one of the targets of Operation Tropic Trooper, an advanced persistent threat campaign that targets key governments and industries to compromise critical data.

Trend Micro Incorporated is a global leader in security software that strives to make the world safe for exchanging digital information. Built on 26 years of experience, our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud.

Philippine Military
Photo Credit: IBTimes

Active since 2012, Operation Tropic Trooper is a hacker activity that targets key organizations in both Taiwan and the Philippines. The activity uses spear-phishing emails that are sent to targeted entities. These emails contain malicious files with exploits that are designed for old Microsoft Office vulnerabilities. Once the user opens any of the attachments, an image file will be downloaded with an embedded piece of malicious code. This tactic is called steganography, which cybercriminals do to avoid antimalware and network perimeter detection. Once successful, the attack will perform several malicious routines, which include the following:
  • Stealing of any kind of data
  • Installing a rootkit
  • Killing processes and services
  • Deleting files and directories
  • Putting systems to sleep
Aside from the Philippine military, Operation Tropic Trooper has targeted key organizations in Asia such as the Taiwanese government. Throughout March to May 2015, Trend Micro determined that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities.

"Operation Tropic Trooper was seen to have targeted the Philippine military, which is alarming. Security must be of paramount priority for the government to avoid unwanted repercussions to critical data, government services, and worst, to the peace of communities," said Mr. Paul Oliveria, Security Focus Lead, Trend Micro Philippines.

He added, "In this era of Internet of Things, decision-makers should largely consider putting investments to security technologies. While the investment may be demanding, the cost that comes during troubleshooting and restoration is more expensive. Being proactive is winning half of the battle."

Below are the rest of the fast facts about Operation Tropic Trooper that users need to know:

• Some of the file names of the Operation Tropic Trooper email attachments include:
3AD 28 March 2013, SI re ASG Plan Bombing in Zamboanga
City.doc
Troops Disposition 26 FEB 13.doc
2nd qtr 2013 AR PF15.doc
Draft AS-PH MLSA - v3 DAGTS_CFO_ILOG_DSA Clean.doc

• Targeted attack activity was heaviest in March and dwindled in the succeeding two months.

• The command-and-control (C&C) servers used in this campaign were located in 4 countries: Taiwan (43% of the servers), USA (36%), Hong Kong (14%) and the UAE (7%).

• The identities and motivations of the actors behind the campaign have yet to be identified.

• Steganography or the technique of concealing data was used in this attack. Threat actors were able to insert malicious code in JPEG files popularly used as Windows XP wallpapers.

• Steganography, although not a new cybercriminal tactic, is not commonly used in targeted attacks. That being stated, there are probable reasons why this kind of technique (malicious code hidden in XP wallpapers) was used in Operation Tropic Trooper:

• As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP. Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the vulnerable OS. This makes it easier for the threat actors to conceal malicious activity.

• The threat actors may have also opted to use this form of steganography because they either still use the legacy OS or have an intimate knowledge of it.

• As with other targeted attacks, organizations need to implement a custom defense strategy that protects against all stages of an attack.

• Since Operation Tropic Trooper takes advantage of old existing vulnerabilities, organizations should look into patch management. Organizations also need to invest in threat intelligence gathering so they can block potential threats before they affect them.

How can organizations stay protected?

Trend Micro suggests the use of Deep Discovery - their top-notch threat protection platform - that can help organizations respond to today’s targeted attacks in real time. It provides advanced threat protection where it matters most. Deep Discovery is made up of four key solutions that will help detect, analyze, adapt, and respond to attacks. For more information, agencies and organizations can get in touch with Trend Micro Philippines via +632-995-6200.