PLATINUM (cybercrime group)
PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.
The group, considered an advanced persistent threat, has been active since at least 2009, targeting victims via spear-phishing attacks against government officials' private email addresses, zero-day exploits, and hot-patching vulnerabilities. Upon gaining access to their victims' computers, the group steals economically sensitive information.
PLATINUM succeeded in keeping a low profile until their abuse of the Microsoft Windows hot patching system was detected and publicly reported in April 2016. This hot patching method allows them to use Microsoft's own features to quickly patch, alter files or update an application, without rebooting the system altogether, this way, they can maintain the data they have stolen while masking their identity.
Once in control of a target's computer, PLATINUM actors can move through the target's network using specially built malware modules. These have either been written by one of the multiple teams working under the Platinum group umbrella, or they could have been sold through any number of outside sources that Platinum has been dealing with since 2009.
Because of the diversity of this malware, the versions of which have little code in common, Microsoft's investigators have taxonomised it into families.
The piece of malware most widely used by PLATINUM was nicknamed Dispind by Microsoft. This piece of malware can install a keylogger, a piece of software that records (and may also be able to inject) keystrokes.
PLATINUM also uses other malware like "JPIN" which installs itself into the %appdata% folder of a computer so that it can obtain information, load a keylogger, download files and updates, and perform other tasks like extracting files that could contain sensitive information.
"Adbupd" is another malware program utilised by PLATINUM, and is similar to the two previously mentioned. It is known for its ability to support plugins, so it can be specialised, making it versatile enough to adapt to various protection mechanisms.
In 2017, Microsoft reported that PLATINUM had begun to exploit a feature of Intel CPUs. The feature in question is Intel's AMT Serial-over-LAN (SOL), which allows a user to remotely control another computer, bypassing the host operating system of the target, including firewalls and monitoring tools within the host operating system.
Microsoft advises users to apply all of their security updates to minimize vulnerabilities and to keep highly sensitive data out of large networks. Because PLATINUM targets organizations, companies and government branches to acquire trade secrets, anyone working in or with such organizations can be a target for the group.
- "PLATINUM Targeted attacks in South andSoutheast Asia (PDF)" (PDF). Windows Defender Advanced Threat Hunting Team (Microsoft). 2016. Retrieved 2017-06-10.
- Osborne, Charlie. "Platinum hacking group abuses Windows patching system in active campaigns | ZDNet". ZDNet. Retrieved 2017-06-09.
- Eduard Kovacs (2017-06-08). ""Platinum" Cyberspies Abuse Intel AMT to Evade Detection". SecurityWeek.Com. Retrieved 2017-06-10.
- Eduard Kovacs (2016-04-27). ""Platinum" Cyberspies Abuse Hotpatching in Asia Attacks". SecurityWeek.Com. Retrieved 2017-06-10.
- msft-mmpc (2016-04-26). "Digging deep for PLATINUM – Windows Security". Blogs.technet.microsoft.com. Retrieved 2017-06-10.
- Peter Bright (2017-06-09). "Sneaky hackers use Intel management tools to bypass Windows firewall". Ars Technica. Retrieved 2017-06-10.
- Tung, Liam (2014-07-22). "Windows firewall dodged by 'hot-patching' spies using Intel AMT, says Microsoft". ZDNet. Retrieved 2017-06-10.
- msft-mmpc (2017-06-07). "PLATINUM continues to evolve, find ways to maintain invisibility – Windows Security". Blogs.technet.microsoft.com. Retrieved 2017-06-10.
- Catalin Cimpanu (2017-06-08). "Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls". Bleepingcomputer.com. Retrieved 2017-06-10.
- Juha Saarinen (2017-06-08). "Hackers abuse low-level management feature for invisible backdoor - Security". iTnews. Retrieved 2017-06-10.
- Richard Chirgwin (2017-06-08). "Vxers exploit Intel's Active Management for malware-over-LAN. Platinum attack spotted in Asia, needs admin credentials". The Register. Retrieved 2017-06-10.
- Christof Windeck (2017-06-09). "Intel-Fernwartung AMT bei Angriffen auf PCs genutzt | heise Security". Heise.de. Retrieved 2017-06-10.
- "PLATINUM activity group file-transfer method using Intel AMT SOL | Windows Security Blog | Channel 9". Channel9.msdn.com. 2017-06-07. Retrieved 2017-06-10.
- "Platinum hacker group uses Intel AMT", Tad Group, 2017-09-25
- Liu, Jianhong (2017-07-15). Comparative Criminology in Asia. Springer. ISBN 9783319549422.