**Feb 15, 2016** **Feb 15, 2016** **Search** **Navigate to...** **Select Country** ##### Previous Next # A Touch of Artistry: Poseidon’s APT Boutique **Feb 9, 2016** **[Oleg Gorobets](https://business.kaspersky.com/author/oleggorobets/)** **[Featured Post, Technology, Threats](https://business.kaspersky.com/category/featured-post/)** **No comments** **Targeted attacks are visibly commoditizing, choosing cost efficiency over sophistication. If a�** **combination of social engineering, tweaks to widely-available malware and legit apps can do the trick,** **why bother to create something original and exquisite?** **Nevertheless there remain true adepts – those who perceive every cyberespionage operation as** **another stage in the quest for ultimate perfection. And, given the long and successful careers of some,** **they have good reason to stick with their own way of working.** ----- #### Artistic Blackmailers **The Poseidon cyberespionage group very much fits this description. The group has been using state-�** **of-the-art custom malware since 2005, at least, and there’s data to suggest that some could have** **been prototyped as early as 2001. Different components of their toolsets appeared regularly on the** **radar of security companies, but were not recognized as part of a bigger picture. Throughout this** **period, Poseidon were meticulously tailoring their toolsets to ensure easy and silent entry and efficient** **data acquisition, in line with their patrons’ requirements. This perfectionist, artisan approach, together** **with the group’s known fascination with Greek mythology and their one-time abuse of a maritime** **satellite communications system, earned their operations the nickname ‘Poseidon’s APT Boutique’.** ## A Touch of Artistry: Poseidon’s APT Boutique #PoseidonAPT **_[Tweet](https://twitter.com/share?url=https%3A%2F%2Fkas.pr%2Fw9Ax&text=A+Touch+of+Artistry%3A+Poseidon%26%238217%3Bs+APT+Boutique+%23PoseidonAPT)_** **Setting aside their artistic finesse, some aspects of their ‘business model’ looked distinctly ugly.�** **Masquerading behind a front-end ‘security company’, they used harvested secrets to blackmail** **targets into accepting them as IT security contractors. Meanwhile, they either retained an illegitimate** **presence within the ‘secured’ system or, having completed the task agreed, quietly resumed their** **presence within the perimeter They were known to refer to one element their business cycle as** **_[Tweet](https://twitter.com/share?url=https%3A%2F%2Fkas.pr%2Fw9Ax&text=A+Touch+of+Artistry%3A+Poseidon%26%238217%3Bs+APT+Boutique+%23PoseidonAPT)_** ----- **presence. With their focus on Windows-based systems and extremely developed skills, they could** **theoretically embed themselves within the victim’s IT system for years without being detected.** #### Great Art Demands Sacrifices� **The Poseidon’s targets have tended to be large Enterprises, mainly centering round Brazil, the US,** **France, Kazakhstan and Russia. There appears an interesting language limitation to English and** **Brazilian Portuguese based systems: even in countries with different national languages, the IT** **networks of multi-national corporations having these locales and/or keyboard layouts were preferred** **as targets. Their sphere of interest has encompassed Energy and Utilities, Manufacturing – and also** **Media and PR. The latter two could obviously provide attackers with plenty of information for use as** **ammunition against additional future targets.** ## The Poseidon’s targets have tended to be large Enterprises #PoseidonAPT **_[Tweet](https://twitter.com/share?url=https%3A%2F%2Fkas.pr%2Fw9Ax&text=The+Poseidon%26%238217%3Bs+targets+have+tended+to+be+large+Enterprises+%23PoseidonAPT)_** #### Tools of the Artisan’s Trade **To many an artisan eye, elegance and simplicity go hand by hand. The Poseidon group seem to** **_[Tweet](https://twitter.com/share?url=https%3A%2F%2Fkas.pr%2Fw9Ax&text=The+Poseidon%26%238217%3Bs+targets+have+tended+to+be+large+Enterprises+%23PoseidonAPT)_** ----- **To fool existing security solutions, they often sign these binaries with real certificates – issued for fake�** **companies or even belonging to genuine well-respected and trusted organizations. Having** **successfully infecting their first victims, the collection of extensive data about the attacked�** **infrastructure begins. Using this information, and ace Windows admin skills, the attackers can then** **move laterally without triggering any alarms, their next objective being to obtain Domain Admin rights.** **With this level of power, they can then purge the majority of their own tools from the network,** **retaining only those essential to their ongoing presence and data exfiltration.�** **As already mentioned, in one series of operations Poseidon used ships’ satellite communication** **systems as hiding places for their Command & Control (C&C) servers, a similar mechanism to that** **used by the Turla actor. No attempts to repeat this feat have, however, been recorded.** #### What Can Be Done? **Despite all Poseidon’s attempts to disguise and disperse the evidence, experts from Kaspersky Lab’s** **Global Research and Analysis Team have succeeded in piecing all the disparate pieces of data into a** **complete picture. Still, the Poseidon group remains active, which brings us to the question of** **adequate defense.** **Of course protecting endpoints is a must – which, as the well-known** **[ASD Mitigation Strategies](https://securelist.com/threats/strategies-for-mitigating-advanced-persistent-threats-apts-4/)** **suggest, should comprise non-signature detection mechanisms, such as Heuristics and Behavioral** **[Detection Algorithms. Possessing all these, Kaspersky Endpoint Security for Business is powered by](http://www.kaspersky.com/business-security/endpoint-advanced)** **the same superior Security Intelligence that enabled our experts to piece together the previously** ----- **real-time global intelligence from the Kaspersky Security Network. These layers erect further barriers** **in the path of malware, from blocking launch attempts to preventing access to critical system** **elements and communications with C&C.** **The extent of information harvesting by the Poseidon group also highlights the benefits of Data�** **Encryption throughout the whole corporate infrastructure, enforced by appropriate policies. The** **[Advanced tier of Kaspersky Endpoint Security for Business includes easy-to-use Encryption](http://www.kaspersky.com/business-security/endpoint-advanced)** **Technology, managed through the same single-pane-of-glass console of Kaspersky Security Center** **as all platform elements. Of course, with spear-phishing as the penetration method of choice for the** **majority of Targated Attack groups, scanning email streams is also absolutely crucial nowadays.** **[Kaspersky Security for Mail Servers erects another powerful defensive wall in the attacker’s way.](http://www.kaspersky.com/business-security/mail-server)** **All in all, Kaspersky Lab’s portfolio of solutions helps implement 19 of ASD’s 35 Mitigation Strategies,** **including 3 of the ‘top 4’ which between them prevent 85% Targeted Attack-related incidents. But** **even if you use another vendor’s solutions to protect your infrastructure, we can help. Kaspersky** **Lab’s achievements as APT discoverers demonstrate that the presence even of such a stealthy and** **[capable APT actor as Poseidon can be uncovered; that’s what our Targeted Attack Discovery service](http://www.kaspersky.com/business-security/entrp/solutions/security-intelligence-services)** **is for[1].** **Secrets are worth most when they’re sold red hot. Perhaps it’s time to prevent your organization from** **getting burned.** **[For more about the Poseidon’s APT Boutique, read the following blogpost on Securelist.](https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/)** **Kaspersky Lab products detect Poseidon malware under the following verdicts:** **Backdoor.Win32.Nhopro** **HEUR:Backdoor.Win32.Nhopro.gen** **HEUR:Hacktool.Win32.Nhopro.gen** **[1] Available only in a limited number of regions. To find out whether this is available in your region,�** **[please contact Kaspersky Lab manager.](http://www.kaspersky.com/enterprise-security/intelligence-services)** **8** **11** **305** **0** **1** **4** **Google** **LinkedIn** **Reddit** **Send to Kindle** **[PoseidonAPT](https://business.kaspersky.com/tag/poseidonapt/)** **[TheSAS2016](https://business.kaspersky.com/tag/thesas2016/)** ##### About Oleg Gorobets ----- **[View all posts by Oleg Gorobets →](https://business.kaspersky.com/author/oleggorobets/)** ##### Leave a Reply **Your email address will not be published. Required fields are marked �*** **Comment** **Name *** **Email *** **Website** **I'm not a robot** **reCAPTCHA** ##### Post Comment **I'm not a robot** **reCAPTCHA** ##### Related Posts **I'm not a robot** **reCAPTCHA** ----- **Feb 8, 2016** **[Bank Busting and Beyond: Metel, GCMan and Carbanak 2.0!](https://business.kaspersky.com/bank-busting-carbanak-2/5160/)** **Feb 8, 2016** **[Welcome to Kaspersky Security Analyst Summit 2016!](https://business.kaspersky.com/welcome-to-thesas2016/5115/)** **Feb 8, 2016** **[Kaspersky Security Analyst Summit: a few words about training](https://business.kaspersky.com/sas2016-training/4846/)** **Nov 24, 2015** ### 3860 ##### Likes ### 1188 ##### Followers ##### Industry News **Vitaly Kamluk on the** **Adwind RAT** **[Chris Brook](https://threatpost.com/author/christopher/)** **February 9, 2016** **Medical Device, Health** **[Care Security Continues](https://threatpost.com/medical-device-health-care-security-continues-to-ail/116228/)** **to Ail** **[Michael Mimoso](https://threatpost.com/author/michael/)** **February 9, 2016** **Power Grid Honeypot** **Puts Face on Attacks** **[Michael Mimoso](https://threatpost.com/author/michael/)** **February 9, 2016** **Introducing Kaspersky Lab DDoS** **Datasheet** **Nov 19, 2015** **[1](https://business.kaspersky.com/introducing-ddos-datasheet/4814/#comments)** **Poseidon APT Group Identified As First�** **Portuguese-Speak...** **Smart City security: is it time to** #### 2 **[Chris Brook](https://threatpost.com/author/christopher/)** ----- **Hyatt hotel chain hit by financial�** #### 3 **malware; how to...** **Jan 27, 2016** **[0](https://business.kaspersky.com/hyatt-hotel-chain-hit-by-financial-malware-how-to-prevent-such-things/5081/#respond)** **Kaspersky Lab vs world poverty: a** #### 4 **case study** **Jan 22, 2016** **[0](https://business.kaspersky.com/kaspersky-lab-vs-world-poverty/4989/#respond)** **An hostile ear in your pocket: how** #### 5 **cyberspies may ...** **Jan 20, 2016** **[0](https://business.kaspersky.com/mobile-spies/5065/#respond)** **IoT’s Day of Reckoning** **on the Horizon** **[Chris Brook](https://threatpost.com/author/christopher/)** **February 8, 2016** ##### Latest Videos ##### February 2016 ##### This week we talk about **[#banking](https://business.kaspersky.com/tag/banking/)** **1** **[#EnterpriseSec](https://business.kaspersky.com/tag/enterprisesec/)** **5** **[0day](https://business.kaspersky.com/tag/0day/)** **3** **[2014 cyberthreats statistics](https://business.kaspersky.com/tag/2014-cyberthreats-statistics/)** **1** **[2015](https://business.kaspersky.com/tag/2015/)** **2** **[2016](https://business.kaspersky.com/tag/2016/)** **2** **[451 Research](https://business.kaspersky.com/tag/451-research/)** **1** **[911](https://business.kaspersky.com/tag/911/)** **1** |M|T|W|T|F|S|S| |---|---|---|---|---|---|---| |1|2|3|4|5|6|7| |8|9|10|11|12|13|14| |15|16|17|18|19|20|21| |22|23|24|25|26|27|28| |29||||||| |« Jan||||||| ##### Contributors ----- ##### Time Machine **325 posts** **[Konstantin Goncharov](https://business.kaspersky.com/author/konstantin)** **44 posts** **[Oleg Gorobets](https://business.kaspersky.com/author/oleggorobets)** **8 posts** **[Cynthia James](https://business.kaspersky.com/author/cynthia)** **8 posts** **[Denis Makrushin](https://business.kaspersky.com/author/denismakrushin)** **7 posts** **[February 2016](https://business.kaspersky.com/date/2016/02/)** **[January 2016](https://business.kaspersky.com/date/2016/01/)** **[December 2015](https://business.kaspersky.com/date/2015/12/)** **[November 2015](https://business.kaspersky.com/date/2015/11/)** **[October 2015](https://business.kaspersky.com/date/2015/10/)** **[September 2015](https://business.kaspersky.com/date/2015/09/)** **[August 2015](https://business.kaspersky.com/date/2015/08/)** **[July 2015](https://business.kaspersky.com/date/2015/07/)** **[June 2015](https://business.kaspersky.com/date/2015/06/)** **[May 2015](https://business.kaspersky.com/date/2015/05/)** **[April 2015](https://business.kaspersky.com/date/2015/04/)** **[March 2015](https://business.kaspersky.com/date/2015/03/)** **[February 2015](https://business.kaspersky.com/date/2015/02/)** **[January 2015](https://business.kaspersky.com/date/2015/01/)** **[December 2014](https://business.kaspersky.com/date/2014/12/)** **[November 2014](https://business.kaspersky.com/date/2014/11/)** **[October 2014](https://business.kaspersky.com/date/2014/10/)** **[September 2014](https://business.kaspersky.com/date/2014/09/)** **[August 2014](https://business.kaspersky.com/date/2014/08/)** **[July 2014](https://business.kaspersky.com/date/2014/07/)** **[June 2014](https://business.kaspersky.com/date/2014/06/)** **[May 2014](https://business.kaspersky.com/date/2014/05/)** **[April 2014](https://business.kaspersky.com/date/2014/04/)** **[March 2014](https://business.kaspersky.com/date/2014/03/)** **[February 2014](https://business.kaspersky.com/date/2014/02/)** **[January 2014](https://business.kaspersky.com/date/2014/01/)** **[December 2013](https://business.kaspersky.com/date/2013/12/)** **[November 2013](https://business.kaspersky.com/date/2013/11/)** **[October 2013](https://business.kaspersky.com/date/2013/10/)** **[September 2013](https://business.kaspersky.com/date/2013/09/)** ----- **[July 2013](https://business.kaspersky.com/date/2013/07/)** **[June 2013](https://business.kaspersky.com/date/2013/06/)** **[May 2013](https://business.kaspersky.com/date/2013/05/)** **[April 2013](https://business.kaspersky.com/date/2013/04/)** ##### Tag Cloud **[Android](https://business.kaspersky.com/tag/android/)** **[Apple](https://business.kaspersky.com/tag/apple/)** **[APT](https://business.kaspersky.com/tag/apt/)** **[big data](https://business.kaspersky.com/tag/big-data/)** **[Business News](https://business.kaspersky.com/tag/business-news/)** **[Business Security](https://business.kaspersky.com/tag/business-security/)** **[byod](https://business.kaspersky.com/tag/byod/)** **[corporate security](https://business.kaspersky.com/tag/corporate-security/)** **[cryptolocker](https://business.kaspersky.com/tag/cryptolocker/)** **[cybercriminals](https://business.kaspersky.com/tag/cybercriminals/)** **[Cyber Espionage](https://business.kaspersky.com/tag/cyber-espionage/)** **[CyberSecurity](https://business.kaspersky.com/tag/cybersecurity/)** **[cyberthreats](https://business.kaspersky.com/tag/cyberthreats/)** **[data encryption](https://business.kaspersky.com/tag/data-encryption/)** **[data leaks](https://business.kaspersky.com/tag/data-leaks/)** **[data security](https://business.kaspersky.com/tag/data-security/)** **[DDoS](https://business.kaspersky.com/tag/ddos/)** **[encryption](https://business.kaspersky.com/tag/encryption/)** **[endpoint security](https://business.kaspersky.com/tag/endpoint-security/)** **[fraud](https://business.kaspersky.com/tag/fraud/)** **[heartbleed](https://business.kaspersky.com/tag/heartbleed/)** **[IT](https://business.kaspersky.com/tag/it/)** **[IT security](https://business.kaspersky.com/tag/it-security/)** **[IT threats](https://business.kaspersky.com/tag/it-threats/)** **[kaspersky endpoint security](https://business.kaspersky.com/tag/kaspersky-endpoint-security/)** **[Kaspersky Lab](https://business.kaspersky.com/tag/kaspersky-lab/)** **[Kaspersky Small Office Security�](https://business.kaspersky.com/tag/kaspersky-small-office-security/)** **[malware](https://business.kaspersky.com/tag/malware/)** **[Microsoft](https://business.kaspersky.com/tag/microsoft/)** **[mobile device](https://business.kaspersky.com/tag/mobile-device/)** **[patches](https://business.kaspersky.com/tag/patches/)** **[phishing](https://business.kaspersky.com/tag/phishing/)** **[protectmybiz](https://business.kaspersky.com/tag/protectmybiz/)** **[ransomware](https://business.kaspersky.com/tag/ransomware/)** **[security](https://business.kaspersky.com/tag/security/)** **[Security for Very Small Businesses](https://business.kaspersky.com/tag/vsb/)** **[security news](https://business.kaspersky.com/tag/security-news/)** **[shellshock](https://business.kaspersky.com/tag/shellshock/)** **[spam](https://business.kaspersky.com/tag/spam/)** **[survey](https://business.kaspersky.com/tag/survey/)** **[thesas2015](https://business.kaspersky.com/tag/thesas2015/)** **[threat landscape](https://business.kaspersky.com/tag/threat-landscape/)** **[threats](https://business.kaspersky.com/tag/threats-2/)** **[vulnerabilities](https://business.kaspersky.com/tag/vulnerabilities/)** **[Windows](https://business.kaspersky.com/tag/windows/)** ##### Propose a Topic **Name** ----- **Email** **Message** ##### Send ##### Topics **[Android](https://business.kaspersky.com/tag/android/)** **[Apple](https://business.kaspersky.com/tag/apple/)** **[APT](https://business.kaspersky.com/tag/apt/)** **[big data](https://business.kaspersky.com/tag/big-data/)** **[Business News](https://business.kaspersky.com/tag/business-news/)** **[Business Security](https://business.kaspersky.com/tag/business-security/)** **[byod](https://business.kaspersky.com/tag/byod/)** **[corporate security](https://business.kaspersky.com/tag/corporate-security/)** **[cryptolocker](https://business.kaspersky.com/tag/cryptolocker/)** **[cybercriminals](https://business.kaspersky.com/tag/cybercriminals/)** **[Cyber Espionage](https://business.kaspersky.com/tag/cyber-espionage/)** **[CyberSecurity](https://business.kaspersky.com/tag/cybersecurity/)** **[cyberthreats](https://business.kaspersky.com/tag/cyberthreats/)** **[data encryption](https://business.kaspersky.com/tag/data-encryption/)** **[data leaks](https://business.kaspersky.com/tag/data-leaks/)** **[data security](https://business.kaspersky.com/tag/data-security/)** **[DDoS](https://business.kaspersky.com/tag/ddos/)** **[encryption](https://business.kaspersky.com/tag/encryption/)** **[endpoint security](https://business.kaspersky.com/tag/endpoint-security/)** **[fraud](https://business.kaspersky.com/tag/fraud/)** **[heartbleed](https://business.kaspersky.com/tag/heartbleed/)** **[IT](https://business.kaspersky.com/tag/it/)** **[IT security](https://business.kaspersky.com/tag/it-security/)** **[IT threats](https://business.kaspersky.com/tag/it-threats/)** **[kaspersky endpoint security](https://business.kaspersky.com/tag/kaspersky-endpoint-security/)** **[Kaspersky Lab](https://business.kaspersky.com/tag/kaspersky-lab/)** **[Kaspersky Small Office Security�](https://business.kaspersky.com/tag/kaspersky-small-office-security/)** **[malware](https://business.kaspersky.com/tag/malware/)** **[Microsoft](https://business.kaspersky.com/tag/microsoft/)** **[mobile device](https://business.kaspersky.com/tag/mobile-device/)** **[patches](https://business.kaspersky.com/tag/patches/)** **[phishing](https://business.kaspersky.com/tag/phishing/)** **[protectmybiz](https://business.kaspersky.com/tag/protectmybiz/)** **[ransomware](https://business.kaspersky.com/tag/ransomware/)** **[security](https://business.kaspersky.com/tag/security/)** **[Security for Very Small Businesses](https://business.kaspersky.com/tag/vsb/)** **[security news](https://business.kaspersky.com/tag/security-news/)** **[shellshock](https://business.kaspersky.com/tag/shellshock/)** **[spam](https://business.kaspersky.com/tag/spam/)** **[survey](https://business.kaspersky.com/tag/survey/)** **[thesas2015](https://business.kaspersky.com/tag/thesas2015/)** **[threat landscape](https://business.kaspersky.com/tag/threat-landscape/)** **[threats](https://business.kaspersky.com/tag/threats-2/)** **[vulnerabilities](https://business.kaspersky.com/tag/vulnerabilities/)** **[Windows](https://business.kaspersky.com/tag/windows/)** ##### Instagram ----- ##### Subscribe to RSS Feeds **Get all latest content delivered to your email a few times a month.** **Your email** ##### Sign Up **Products for Home** **[Kaspersky PURE 3.0](http://www.kaspersky.com/products/home/pure)** **[Kaspersky Internet Security–Multi-Device](http://www.kaspersky.com/multi-device-security)** **[Kaspersky Internet Security 2015](http://www.kaspersky.com/products/home/internet-security)** **[Kaspersky Anti-Virus 2015](http://www.kaspersky.com/products/home/anti-virus)** **[Kaspersky Internet Security for Mac](http://www.kaspersky.com/products/home/security-mac)** **[Kaspersky Internet Security for Android](http://www.kaspersky.com/android-security)** **[Kaspersky Password Manager](http://www.kaspersky.com/products/home/kaspersky-password-manager)** **[Kaspersky Security Scan FREE](http://www.free.kaspersky.com/advert/?redef=1&THRU&reseller=kss_blog_en)** **Products for Enterprise Business** **Kaspersky Endpoint Security for Business |** **Advanced** **Kaspersky Endpoint Security for Business |** **Select** **[Kaspersky Endpoint Security for Business | Core](http://www.kaspersky.com/products/business/endpoint-core)** **[Kaspersky Total Security for Business](http://www.kaspersky.com/products/business/total)** **[Targeted Security Solutions](http://www.kaspersky.com/products/business/targeted-solutions)** **Products for Small Office�** **[Kaspersky Small Office Security�](http://www.kaspersky.com/products/small_office_security/)** **For Software Users** **[Buy online](http://www.kaspersky.com/estore/)** **[Renew license](http://www.kaspersky.com/license_renewal)** **[Get updates](http://www.kaspersky.com/downloads/productupdates/)** **[Try for free](http://www.kaspersky.com/downloads/trials/)** **Technical Support** **[For home products](http://www.kaspersky.com/support/desktop)** **[For business products](http://www.kaspersky.com/support/corporate)** **About Us** ----- **[Press Center](http://www.kaspersky.com/about/press/)** **[Site Map](http://www.kaspersky.com/sitemap)** **[Privacy policy](http://www.kaspersky.com/privacy)** **[Contact us](http://www.kaspersky.com/about/contactinfo/)** **[Legal](http://www.kaspersky.com/legal)** **Blogroll** **[Eugene Kaspersky’s Blog](http://eugene.kaspersky.com/)** **[Securelist](http://www.securelist.com/en/)** **[Threatpost](http://www.threatpost.com/)** **[Kaspersky Daily](http://blog.kaspersky.com)** **[Kaspersky Academy](http://academy.kaspersky.com)** **© 2016 AO Kaspersky Lab. All** **Rights Reserved.** **39A/3 Leningradskoe shosse** **Moscow** **125212** **Russia** **The authors' opinions do not** **necessarily reflect the official�** **positions of Kaspersky Lab.** -----