ESET APT Activity Report: China-aligned groups campaign against EU targets; prime target of Russia-aligned groups remains Ukraine
Created: 2023-10-30 06:16:24
- The latest APT Activity Report contains activities of selected APT groups from April 2023 to September 2023.
- It highlights China-aligned groups’ persistent campaigns in the EU and the evolution of Russia’s cyberwar in Ukraine from sabotage to espionage.
- Various groups exploited vulnerabilities in WinRAR, Microsoft Exchange servers, and IIS servers.
- The prime target of Russia-aligned groups remained Ukraine; Telegram users were targeted for data collection.
- Among the newly discovered China-aligned groups, DigitalRecyclers repeatedly compromised a governmental organization in the EU, TheWizards conducted adversary-in-the-middle attacks, and PerplexedGoblin targeted another governmental organization in the EU.
BRATISLAVA — October 26, 2023 — ESET released its latest report about the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from April 2023 until the end of September 2023. Notably, ESET Research observed various APT groups exploiting known vulnerabilities to exfiltrate data from governmental entities or related organizations. Handpicked findings were presented exclusively to selected journalists during a press event. The presentation and the report explore China-aligned groups’ persistent campaigns in the European Union and the evolution of Russia’s cyberwar in Ukraine from sabotage to espionage.
Russia-aligned Sednit and Sandworm, North Korea-aligned Konni, and geographically unattributed Winter Vivern and SturgeonPhisher seized the opportunity to exploit vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Windows (Sednit) to target various governmental organizations, not only in Ukraine but also in Europe and Central Asia. Regarding China-aligned threat actors, GALLIUM probably exploited weaknesses in Microsoft Exchange servers or IIS servers, extending its targeting from telecommunications operators to governmental organizations around the world; MirrorFace probably exploited vulnerabilities in the Proself online storage service; and TA410 probably exploited flaws in the Adobe ColdFusion application server.
Iran- and Middle East-aligned groups continued to operate at high volume, primarily focusing on espionage and data theft from organizations in Israel. Notably, Iran-aligned MuddyWater also targeted an unidentified entity in Saudi Arabia, deploying a payload that suggests the possibility of this threat actor serving as an access development team for a more advanced group.
The prime target of Russia-aligned groups remained Ukraine, where we discovered new versions of the known wipers RoarBat and NikoWiper and a new wiper we named SharpNikoWiper, all deployed by Sandworm. Interestingly, while other groups – such as Gamaredon, GREF, and SturgeonPhisher – target Telegram users to try to exfiltrate information, or at least some Telegram-related metadata, Sandworm actively uses this service for active measure purposes, advertising its cybersabotage operations. However, the most active group in Ukraine continued to be Gamaredon, which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones.
North Korea-aligned groups continued to focus on Japan, South Korea, and South Korea-focused entities, employing carefully crafted spear phishing emails. The most active Lazarus scheme observed was Operation DreamJob, luring targets with fake job offers for lucrative positions. This group consistently demonstrated its capability to create malware for all major desktop platforms.
Finally, our researchers uncovered the operations of three previously unidentified China-aligned groups: DigitalRecyclers, repeatedly compromising a governmental organization in the EU; TheWizards, conducting adversary-in-the-middle attacks; and PerplexedGoblin, targeting another governmental organization in the EU.
ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports. ESET researchers prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups, in the form of ESET APT Reports PREMIUM, to help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. Comprehensive descriptions of activities described in this document were therefore previously provided exclusively to our premium customers. More information about ESET APT Reports PREMIUM, which delivers high-quality, strategic, actionable, and tactical cybersecurity threat intelligence, is available on the ESET Threat Intelligence website.
For more technical information, check the full ESET APT Activity Report on WeLiveSecurity. Make sure to follow ESET Research on Twitter (now known as X) for the latest news from ESET Research.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.