Even more than eight months after the Russian invasion, Ukraine remains a prime target of APT groups close to Russia, such as the notorious Sandworm, but also Gamaredon, InvisiMole, Callisto and Turla. The report.
Introduced the ESET APT Activity Report, the study which aims to provide a periodic analysis of the activities of the groups APT – advanced persistent threat.
In the first issue, covering Q2 2022 (May-August 2022), the researchers found no declines in APT activity by groups aligned with Russia, China, Iran, and North Korea. Even more than eight months after the Russian invasion, Ukraine remains a prime target of APT groups close to Russia, such as the notorious Sandworm, but also Gamaredon, InvisiMole, Callisto and Turla. The aerospace and defense industries, as well as financial and cryptocurrency businesses and exchanges, continue to be of great interest to North Korean-affiliated groups.
Financial institutions and cryptocurrency businesses have been targeted by Kimsuky, who sides with North Korea, and two Lazarus campaigns. One of these, dubbed Operation In(ter)ception by the researchers, broke away from the usual target of the aerospace and defense industries by hitting an Argentinian user with malware disguised as a job offer at Coinbase. The researchers also spotted Konni using a technique used by Lazarus in the past: a trojaned version of the PDF viewer Sumatra.
China-aligned groups continue to be very active, using various previously unreported vulnerabilities and backdoors. A Linux variant of a backdoor used by SparklingGoblin against a Hong Kong university has been identified. The same group exploited a vulnerability in Confluence to target a food manufacturing company in Germany and a US-based engineering company. Researchers also suspect that a vulnerability in ManageEngine ADSelfService Plus is behind the breach of a US defense contractor, whose systems were compromised just two days after the public disclosure of the vulnerability. In Japan, researchers have identified several MirrorFace campaigns, one of which is directly linked to the House of Council elections.
The growing number of Iranian-aligned groups continued to focus their efforts primarily on different vertical Israeli sectors. The researchers were able to attribute a campaign that targeted a dozen organizations in Israel to POLONIUM and identify several previously undocumented backdoors. Diamond industry and diamond-related organizations in South Africa, Hong Kong and Israel have been targeted by Agrius in what the company believes was a supply-chain attack that exploited an Israeli software suite in use by the industry. In another campaign in Israel, indicators of a possible combination of tool use were found between the MuddyWater and APT35 groups. Researchers also discovered a new version of Android malware in a campaign led by the APT-C-50 group; was distributed by an Iranian website emulator and has limited spying capabilities.