Since 2011, there have been covert attacks on various nation-states, including Russia and China, by one specific group. Just recently this group was identified by security researchers. It goes by the name of Strider. In a blog post, Symantec said that “the group has maintained a low profile until now” and all of its targets have been “of interest to a nation-state’s intelligence services.”
The main attack method for Strider has been through malware known as Remsec. Remsec is highly advanced in that it can avoid most intrusion-detection systems. Written in Lua, the payload is usually deployed into a computer’s network, which forces the code into the memory and not the disk (which antivirus scans check more often). Remsec’s espionage capabilities result from the fact that it can install backdoors, log keystrokes, and take command of any file on the machine.
The reason why Strider has not been identified until now is likely due to its activity (or lack thereof). The attacks have been infrequent and there have also been very few attacks overall, which is very odd considering how intricate the attacks are. “That’s exactly why this is so interesting to us,” Symantec’s senior threat intelligence analyst Jon DiMaggio told Dark Reading. “The fact that someone invested the time and money into creating custom malware and only used it on this many targets.”
The amount of time taken to code the malware, recon the high-security targets, and successfully execute an attack is massive. As such, one has to wonder what Strider is after.
The fact is nobody is quite certain as to what the threat actor’s aims or affiliations are. They could be an independent group contracted by nation-states for the sake of plausible deniability. Strider could be cyber-terrorists waiting for the perfect moment to wreak havoc on a specific populace. Or maybe the group is just doing this for “the lulz,” as Anonymous members like to say (though I highly doubt this).
Symantec has said it will “continue to search for more Remsec modules and targets in order to build upon our understanding of Strider and better protect our customers.” It should not just be Symantec investigating Strider, as the shadowy entity seems to be emerging as a potential threat of massive proportions. Cybersecurity researchers should place more effort into figuring out who these guys are and what their endgame is. We cannot allow attacks like this to go on without intense investigation.
