The European IT security manufacturer ESET has published its current "APT Activity Report T3 2022". Focus: Chinese hacker groups are active in Europe and Russian hacker groups continue to target Ukraine.
Investigative findings on selected Advanced Persistent Threat (APT) groups are regularly summarized in these reports. In the latest issue, which covers the period from September to December 2022, ESET experts present their latest insights into various global hacking campaigns. Groups allied with China have shifted their activities to European countries. Russia's hackers like Sandworm, Callisto and Gamaredon continue to target Ukraine. In addition, groups linked to Iran and North Korea continue to operate on a large scale.
Chinese threat actors make Europe unsafe
“European countries are becoming more and more interesting for Chinese APT groups. Traditionally, China-aligned hacker groups like Goblin Panda and Mustang Panda tended to focus more on Southeast Asia,” explains Jan-Ian Boutin, Director of ESET Threat Research. “But last November, ESET researchers found a new backdoor called TurboSlate in a government organization in the European Union. The malware was traced back to Goblin Panda, which appears to be copying the operations of the APT group Mustang Panda. The latter discovered European destinations for themselves at the beginning of 2022. “The cyber espionage group is known for targeting government institutions, corporations and research institutes. Last September, ESET experts discovered a Korplug loader that was being used by hackers at a company in the Swiss energy and technology sector,” Boutin continued.
The cyber war in Ukraine continues
The notorious Sandworm group is also very active and continues its operations against Ukraine. ESET researchers came across a previously unknown wiper that was used against an energy sector company in the eastern European country in October 2022. The attack described took place at the time when Russian forces began launching missile attacks on energy infrastructure. Although ESET cannot prove that these events were coordinated, this suggests that Sandworm and the Russian military share similar goals.
ESET has dubbed the latest wiper, coming from a line of previously discovered wipers, NikoWiper. The malware is based on SDelete, a Microsoft command-line tool used for securely deleting files. In addition to data-wiping malware, ESET researchers also discovered Sandworm attacks using ransomware as a wiper. The encryption software had the same goal as the wiper, it was all about destroying data. This is mainly shown by the fact that the provision of a decryption key was never planned.
Sandworm, Callisto, Gamaredon
In addition to Sandworm, other Russian APT groups such as Callisto and Gamaredon have continued spearphishing campaigns against Ukraine to steal credentials and install malware. In October 2022, ESET detected Prestige ransomware, which was used against logistics companies in Ukraine and Poland. A month later, ESET researchers in Ukraine found new encryption software written in .NET, which they dubbed RansomBoggs. ESET Research published the results of their investigation into this campaign on the Twitter account of the same name.
Iran and North Korea continue to operate on a large scale
Groups allied with Iran are also continuing their attacks – in addition to Israeli companies, POLONIUM also targeted the foreign subsidiaries of Israeli companies. Iranian APT group MuddyWater is also suspected of compromising a managed security service provider.
North Korea-affiliated hacking group Konni used old vulnerabilities to compromise cryptocurrency firms and exchanges in different parts of the world. ESET researchers discovered that threat actors have added English to the repertoire of languages it uses in its deception documents. This suggests that they are no longer confining their radius of action solely to the usual Russian and South Korean targets.
Background to the APT Activity Report
In addition to the ESET Threat Report, ESET Research publishes the ESET APT Activity Report, which provides a regular overview of research findings on Advanced Persistent Threats (APT) activities. The first edition covers the period from May to August 2022. In the future, the APT Report will be published alongside the ESET Threat Report.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.