ESET launches APT Activity Report highlighting activities of Russia-, North Korea-, Iran- and China-aligned threat actors, including attacks on aerospace and defense industries
Created: 2022-11-21 07:13:12
-
ESET launches new APT Activity Report; the first installment covers the period of May-August 2022 (T2 2022).
-
ESET Research saw no decline in the activity of Russia-, China-, Iran-, and North Korea-aligned APT groups.
-
Ukraine is still a prime target of Russia-aligned threat groups eight months after the invasion.
-
Aerospace and defense industries continue to be of high interest to North Korea-aligned groups, along with financial and cryptocurrency firms and exchanges.
-
China-aligned groups were able to leverage various vulnerabilities and previously unreported backdoors.
-
The growing number of Iran-aligned groups continued to focus their efforts mainly on various Israeli verticals.
BRATISLAVA — November 14, 2022 — Accompanying the successful ESET Threat Report, ESET Research launches the ESET APT Activity Report, aiming to provide a periodic overview of ESET’s findings on the activities of advanced persistent threat (APT) groups. In the first installment, covering T2 2022 (May-August 2022), ESET Research saw no decline in the APT activity of Russia-, China-, Iran-, and North Korea-aligned threat actors. Even more than eight months after the Russian invasion, Ukraine continues to be a prime target of Russia-aligned APT groups such as the infamous Sandworm, but also Gamaredon, InvisiMole, Callisto, and Turla. The aerospace and defense industries, along with financial and cryptocurrency firms and exchanges, continue to be of high interest to North Korea-aligned groups.
“We have noticed that in T2 2022, several Russia-aligned groups used the Russian multiplatform messaging service Telegram to access C&C servers or as an instrument to leak information. Threat actors from other regions were also trying to gain access to Ukrainian organizations, both for cyber espionage and intellectual property theft,” elaborates Jean-Ian Boutin, Director of ESET Threat Research.
“The aerospace and defense industry remains of interest to North Korea-aligned groups – Lazarus targeted an employee of an aerospace company in the Netherlands. According to our research, the group abused a vulnerability in a legitimate Dell driver to infiltrate the company, and we believe this to be the first-ever recorded abuse of this vulnerability in the wild,” continues Boutin.
Financial institutions and entities working with cryptocurrency were targeted by North Korea-aligned Kimsuky and two Lazarus campaigns. One of these, dubbed Operation In(ter)ception by ESET researchers, branched out of its usual targeting of aerospace and defense industries when it targeted a person from Argentina with malware disguised as a job offer at Coinbase. ESET also spotted Konni using a technique employed by Lazarus in the past – a trojanized version of Sumatra PDF viewer.
China-aligned groups remained highly active, using various vulnerabilities and previously unreported backdoors. ESET identified a Linux variant of a backdoor used by SparklingGoblin against a Hong Kong university. The same group leveraged a Confluence vulnerability to target a food manufacturing company in Germany and an engineering company based in the US. ESET Research also suspects that a ManageEngine ADSelfService Plus vulnerability was behind the compromise of a US defense contractor whose systems were breached only two days after the public disclosure of the vulnerability. In Japan, ESET Research identified several MirrorFace campaigns, one directly connected to the House of Councilors election.
The growing number of Iran-aligned groups continued to focus their efforts mainly on various Israeli verticals. ESET researchers were able to attribute a campaign targeting a dozen organizations in Israel to POLONIUM and identify several previously undocumented backdoors. Organizations in or linked to the diamond industry in South Africa, Hong Kong, and Israel were targeted by Agrius in what ESET Research considers a supply-chain attack abusing an Israeli-based software suite used in this vertical. In another campaign in Israel, indicators of possible tool-use overlap between MuddyWater and APT35 groups were found. ESET Research also discovered a new version of Android malware in a campaign conducted by the APT-C-50 group; it was distributed by a copycat of an Iranian website and had limited spying functionality.
For more technical information check the full “ESET APT Activity Report” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.