Accompanying the successful ESET Threat Report, ESET Research launches the ESET APT Activity Report, aiming to provide a periodic overview of ESET’s findings on the activities of advanced persistent threat (APT) groups. In the first installment, covering T2 2022 (May-August 2022), ESET Research saw no decline in the APT activity of Russia-, China-, Iran-, and North Korea-aligned threat actors. Even more than eight months after the Russian invasion, Ukraine continues to be a prime target of Russia-aligned APT groups such as the infamous Sandworm, but also Gamaredon, InvisiMole, Callisto, and Turla. The aerospace and defense industries, along with financial and cryptocurrency firms and exchanges, continue to be of high interest to North Korea-aligned groups.
“We have noticed that in T2 2022, several Russia-aligned groups used the Russian multiplatform messaging service Telegram to access C&C servers or as an instrument to leak information. Threat actors from other regions were also trying to gain access to Ukrainian organizations, both for cyber espionage and intellectual property theft,” elaborates Jean-Ian Boutin, Director of ESET Threat Research.
“The aerospace and defense industry remains of interest to North Korea-aligned groups – Lazarus targeted an employee of an aerospace company in the Netherlands. According to our research, the group abused a vulnerability in a legitimate Dell driver to infiltrate the company, and we believe this to be the first-ever recorded abuse of this vulnerability in the wild,” continues Boutin.
Financial institutions and entities working with cryptocurrency were targeted by North Korea-aligned Kimsuky and two Lazarus campaigns. One of these, dubbed Operation In(ter)ception by ESET researchers, branched out of its usual targeting of aerospace and defense industries when it targeted a person from Argentina with malware disguised as a job offer at Coinbase. ESET also spotted Konni using a technique employed by Lazarus in the past – a trojanized version of Sumatra PDF viewer.
China-aligned groups remained highly active, using various vulnerabilities and previously unreported backdoors. ESET identified a Linux variant of a backdoor used by SparklingGoblin against a Hong Kong university. The same group leveraged a Confluence vulnerability to target a food manufacturing company in Germany and an engineering company based in the US. ESET Research also suspects that a ManageEngine ADSelfService Plus vulnerability was behind the compromise of a US defense contractor whose systems were breached only two days after the public disclosure of the vulnerability. In Japan, ESET Research identified several MirrorFace campaigns, one directly connected to the House of Councilors election.
The growing number of Iran-aligned groups continued to focus their efforts mainly on various Israeli verticals. ESET researchers were able to attribute a campaign targeting a dozen organizations in Israel to POLONIUM and identify several previously undocumented backdoors. Organizations in or linked to the diamond industry in South Africa, Hong Kong, and Israel were targeted by Agrius in what ESET Research considers a supply-chain attack abusing an Israeli-based software suite used in this vertical. In another campaign in Israel, indicators of possible tool-use overlap between MuddyWater and APT35 groups were found. ESET Research also discovered a new version of Android malware in a campaign conducted by the APT-C-50 group; it was distributed by a copycat of an Iranian website and had limited spying functionality.