Over the last few years, we have been monitoring a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance.
The name “NetTraveler” comes from an internal string which is present in early versions of the malware: “NetTraveler Is Running!” This malware is used by APT actors for basic surveillance of their victims. Earliest known samples have a timestamp of 2005, although references exist indicating activity as early as 2004. The largest number of samples we observed were created between 2010 and 2013.
The NetTraveler builder icon
Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors:
The following map lists the victim profiles by industry:
Key findings on the NetTraveler attacks:
Based on collected intelligence, we estimate the group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language.
The NetTraveler Attacks - Part 1 (public):
For more information, read our full paper «TheNetTravelerAttacks, Part 1» [PDF]
2013 Jun 06, 17:34
Looking for additional information (Part 2)
Who do I contact to receive a copy of the Part 2 of the report?