Symantec Security Response
Bachosens: Highly-skilled petty cyber-criminal with lofty ambitions targeting large organisations
Eastern Europe based attacker’s advanced malware comparable with that used by nation-state actors, but basic missteps
indicate a threat actor who is skilled but lacking in expertise
In attacks reminiscent of the early days of malware, a lone wolf threat actor who appears to be based in a disputed part
of eastern Moldova is using advanced malware to carry out cyber attacks against large organisations for relatively
modest rewards. The malware in question, Trojan.Bachosens, was so advanced that Symantec analysts initially thought they
were looking at the work of nation-state actors. However, further investigation revealed a 2017 equivalent of the
hobbyist hackers of the 1990s — the only difference being this hacker wasn’t out for bragging rights. He was out for
Big weapon, small rewards
This lone wolf attacker — who we call Igor — is not an average cyber-criminal aiming to infect as many victims as
possible. Rather, he has been carrying out highly targeted attacks on specific organisations.
Igor developed a specialised tool, a piece of malware called Bachosens, to gain access to at least two large
organisations, an international airline and a Chinese auto-tech company. Symantec believes that Igor planted the malware
through the use of spear-phishing emails, a tactic typically employed by nation-state actors.
What do we know about this attacker?
Symantec believes he may be based in the town of Tiraspol in eastern Moldova. Officially, Tiraspol is the second-largest
city in Moldova, but it is also the capital of the self-declared republic of Transnistria, which is not recognised as an
independent state by the UN.
The dominant language in Transnistria is Russian, and there were Russian strings used in the Bachosens malware, and
communication with the C server uses what appears to be the Russian equivalents of size suffixes for KB, MB, GB, and TB. This indicated to
researchers that the individual behind this malware was likely Russian speaking.
The level of information the attacker knowingly or negligently revealed about himself online gave us high confidence
that he is an individual involved in the auto industry who is based in this part of Eastern Europe.
Petty cyber-crime still exists
While we have gleaned a lot of information about this attack, much of this attacker’s activity remains a mystery, such
as the motivations behind some of his activity, and where he may have acquired the skills to create such sophisticated
malware, while clearly demonstrating lack of expertise in other areas.
However, this activity does show us that while nation-state actors and organised cyber-crime gangs carrying off big
heists may be what grabs headlines, there are still lone wolf attackers out there making a comfortable living from