The Poseidon misadventure: inside a targeted attack group
This blackmail gang has been in operation for a decade, but only now has its attack methodologies come to light.
The Poseidon cyberespionage group has, according to researchers from the Kaspersky Global Research and Analysis Team (GReAT), been a player in the targeted malware business since at least 2005. In fact, there’s reason to believe that Poseidon could have been testing the malware water for a few years even before then. Poseidon is not a new threat actor then, far from it. What it is though, is a newly discovered threat actor. Although the individual malware samples it has used were detected over the years, by highly customising each targeted attack this prevented security researchers from joining the dots and linking seemingly disparate incidents. What the Kaspersky researchers have done is complete the picture and reveal a single and rather dangerous actor in the shape of Poseidon.
The Kaspersky GReAT researchers report how Poseidon posed as a legitimate security business, but one whose business model relied upon stealing data which could then be used to blackmail the victims into becoming clients of the security contracting outfit. This takes an old-school extortion racket concept and propels it into the cyber age. This shouldn’t really surprise anyone. After all, many DDoS attacks are actually just employing ‘protection racket’ tactics to extract cash from the victim. “Pay us an insurance policy and we won’t take your business offline madam” rings as true using a SYN flood as, “wouldn’t it be a shame if your stock got broken love,” does from a clumsy oaf with a hammer in a china shop.
