Underground: Scarlet Mimic Espionage Campaign

February 11, 2016  |  Patrick Bedwell

Most high profile data breaches we have read about recently include credit card data, healthcare data or other personally identifiable information. Less visible are attacks that target specific political groups or high-profile public officials. Occasionally they make the news (such as last year’s breaches at the State Department and the White House) but more often they are not highly visible.

One such attack is the ongoing ‘Scarlet Mimic’ espionage campaign against Tibetan and Uyghur activists that Palo Alto Networks has been studying. This campaign has been running for over four years, collecting information on minority rights activists.

The current attacks primarily center around the use of a Windows backdoor named “FakeM” to load malware. In addition to targeting PCs, the attackers have started to expand their espionage efforts from PCs to mobile devices. They often use spear-phishing and watering hole attacks to compromise the systems of targeted activists.

Why this type of attack is significant is that the techniques used to target political activists could easily translate to industrial espionage. Although potentially less newsworthy than the loss of millions of credit card records, the theft of intellectual property by a state-sponsored entity would be a game-changer in a competitive environment.

Impact on you

  • If you are in an industry where your R&D team provides a competitive advantage, a breach of intellectual property could reduce or eliminate that competitive advantage.
  • The higher the barrier to entry your intellectual property represents for competitors, the greater the likelihood for industrial espionage
  • With social media so popular, it’s likely that a focused attacker could quickly determine whom to impersonate in your organization to fool the targeted employees into opening malware-carrying email, opening the door to espionage

How AlienVault Helps

The AlienVault Labs team continues to research and contribute effective, actionable threat intelligence that can identify systems compromised by Scarlet Mimic. The Labs team has updated the USM platform’s ability to detect these latest espionage techniques. An IDS signature to detect the malicious traffic and a correlation directive to identify this threat are available now in the latest AlienVault Threat Intelligence update:

  • System Compromise, Trojan infection, Scarlet Mimic

For more information on the Scarlet Mimic Espionage Campaign, visit the Open Threat Exchange (OTX) to see the research the OTX community has contributed:


Share this with others

Tags: espionage

Get price Free trial