Petulant Penguin Attacks Use Antarctica As Base

The firm Crowdstrike joined other security companies in warning about sophisticated attacks that use compromised computers at research bases on Antartica to launch targeted attacks. They dubbed the campaign "Petulant Penguin."
The firm Crowdstrike joined other security companies in warning about sophisticated attacks that use compromised computers at research bases on Antartica to launch targeted attacks. They dubbed the campaign “Petulant Penguin.”

In-brief: A new sophisticated cyber crime campaign dubbed “Petulant Penguin” by one research firm appears to use compromised computers at Antarctic research bases to launch targeted attacks on government agencies in the U.S. and Europe. 

It’s a desert continent coated in ice with a population of just 5,000 souls and winter temperatures that have been recorded dipping below -80C (-100F). But those tough conditions apparently aren’t enough to make Antarctica immune from a problem plaguing its northern neighbors: cyber crime.

Researchers at top security firms on Wednesday warned about a new and sophisticated campaign of targeted attacks with links back to the icy continent. Dubbed “Petulant Penguin” by one security firm, the malicious campaign appears to be  leveraging compromised infrastructure used by research bases at the south pole and targeting government agencies in the U.S. and Europe.

“To say we were surprised is an understatement,” said Matt Flinders, a security researcher at the firm Crowdstrike, which was among a handful to identify the attack. “We’re used to seeing attacks with ties back to countries like Russia, China – even Brazil. But Antarctica? Nobody expected that.”

Crowdstrike issued a report that provides information on the attacks Wednesday. Its profiles of sophisticated hacker groups include names like “Deep Panda” (a Chinese hacking crew with links to the People’s Liberation Army), “Energetic Bear,” (a group with its base in the Russian Federation) and “Flying Kitten” (with links to the Islamic Republic of Iran).

In this case, it took Crowdstrike researchers some time to actually confirm what their detection tools were telling them. Antartica is connected to the Internet and even has its own top-level domain, .AQ. But data access for the icy continent is spotty and heavily reliant on satellites. Internet access to the Amundsen-Scott South Pole Station is provided by access via NASA’s TDRS-F1, GOES & Iridium satellite constellation. The South Pole’s TDRS relay (named South Pole TDRSS Relay or SPTR) was upgraded recently to support a data return rate of 50 Mbit/s. That accounts for more than 90% of the South Pole’s data capability and is primarily used to relay scientific data from the many research stations.

Working through NASA and other agencies, researchers were eventually able to trace the malicious traffic back to research installations at the South Pole including the Amundsen-Scott base, Concordia Station (a joint Italian and French research base) and Japan’s Dome Fuji station. Interestingly, the attackers were apparently able to work around the continent’s spotty access to the Internet and limited bandwidth: scheduling their malicious activities for seasons and periods in which the stations enjoyed strong and reliable Internet access.

It isn’t known how attackers were able to gain access to networks at the research station, but security experts agree that,  hostile environment aside, Antarctica wouldn’t present any unusual challenges for sophisticated hacking groups.

“The attack vectors would be no different from any other attack,” said Mikko Hypponen, the Chief Research Officer of F-Secure in Finland. In fact, Antarctica research bases may have even been easy targets: the limited bandwidth to and from the continent may constrain the ability of IT administrators there from applying software updates with the ease that they can elsewhere, Hypponen theorized. “It’s possible that these were systems that had not been updated and that workers there assumed, you know ‘We’re in Antarctica. Who would want to attack us?'”

Antarctica is home to a range of scientific experiments by nations including the United States, Russia, Japan and others. The continent operates on something of a “condominium” model, with participating countries adhering to the Antarctic Treaty System, which prohibits military activities and mineral mining, prohibits nuclear explosions and nuclear waste disposal, supports scientific research, and protects the continent’s ecozone.

However, its almost certain that the Petulant Penguin hackers had other targets in mind. “This almost certainly wasn’t an attack aimed at Antarctic researchers,” said Flinders. “These were attacks directed at high value targets with which the research stations communicated.”

Flinders and Crowdstrike declined to elaborate on what those targets are. However, he said the FBI was involved with the investigation. The FBI declined to comment for this story.

Research by CrowdStrike found that politically motivated hacking increased in 2014j. The security firm said that 2014 was rife with examples of politically motivated hacks and online attacks, from distributed denial of service (DDoS) attacks aimed at the government of Ukraine and suffragists in Hong Kong to the group LizardSquad’s attack on online gaming environments in Europe and North America.

Comments are closed.