With its new APT - Advanced Persistent Threat - Activity Report, ESET provides a regular overview of the activities of hacker groups and examines their actions in detail. Groups from Russia, North Korea, Iran and China are highly active.
Russia-linked hackers like Sandworm, Gamaredon, Turla, or InvisiMole continue to have Ukraine as their primary target. Aerospace and defense companies are popular with actors connected to North Korea. Iranian groups focus their activities on Israel. A German food company was also the target of an APT group linked to China. Overall, the ESET researchers could not detect any decrease in activity among the various hacker groups. The current report covers the period from May to August 2022.
Industry, Secrets, Blackmail
"The aerospace and defense industries remain of great interest to groups allied with North Korea. For example, Lazarus targeted an employee at an aerospace company in the Netherlands. According to our research, the group exploited a vulnerability in a legitimate Dell driver to infiltrate the company. We believe this is the first recorded exploit of this vulnerability in the wild," said Jan-Ian Boutin, Director of ESET Threat Research. “We also found that several groups allied with Russia have abused Telegram messaging service to access command-and-control servers or to leak sensitive information. APT actors from other regions also tried to gain access to Ukrainian organizations, both for cyberespionage and intellectual property theft,” Boutin continues.
Cryptocurrencies: another field of activity for APT groups
Financial institutions and companies working with cryptocurrencies were the target of North Korea's Kimsuky and two campaigns by the Lazarus Group. One of these actions, dubbed Operation In(ter)ception by ESET researchers, deviated from their usual goals in the aerospace and defense industries. A single person from Argentina was attacked with malware disguised as a job offer at Coinbase. ESET also discovered that the Konni group uses a technique used by Lazarus in the past - a trojanized version of the Sumatra PDF Viewer.
China groups often use backdoors
China-based groups continued to be very active. They exploited various vulnerabilities and previously unreported backdoors. This is how ESET identified the Linux variant of a backdoor used by SparklingGoblin against a Hong Kong university. In another case, the same group used a Confluence vulnerability to attack a food processing company in Germany and an engineering firm in the United States. ESET Research also suspects that a ManageEngine ADSelfService Plus vulnerability is behind the compromise of a US defense contractor. Its systems were attacked just two days after the vulnerability was published. In Japan, ESET identified several campaigns by the group Mirrorface, one of which was directly related to the elections to the upper house of parliament.
Iranian groups have Israel in focus
The growing number of groups linked to Iran continued to focus their efforts primarily on various Israeli industries. ESET researchers were able to attribute an action targeting a dozen organizations to POLONIUM and identified several previously undocumented backdoors. Agrius targeted companies and entities involved in or associated with the diamond industry in South Africa, Hong Kong and Israel.
ESET experts believe this is a supply chain attack, abusing Israel-based software used in this area. Another campaign in Israel found evidence of a possible overlap in tool usage between the MuddyWater and APT35 groups. ESET Research also detected a new version of Android malware in a campaign run by the APT-C-50 group. It was distributed by a copycat Iranian website and had limited spying capabilities.
Via the ESET APT Activity Report
Complementary to the ESET Threat Report, ESET Research publishes the ESET APT Activity Report, which aims to provide a regular overview of ESET's insights into Advanced Persistent Threats (APT) activity. The first edition covers the period from May to August 2022. It is planned that the report will be published immediately alongside the ESET Threat Report.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.