Hacker groups from Russia, North Korea, Iran and China continue to be active

ESET’s new APT (Advanced Persistent Threat) Activity Report provides a regular overview of the activities of these hacker groups and highlights their actions in detail. Russian-linked hackers such as Sandworm, Gamaredon, Turla or InvisiMole continue to have Ukraine as their primary target. Aerospace and defence companies are popular with actors connected to North Korea. Iranian groups focus their activities on Israel. A German food company was also targeted by a China-linked APT group. Overall, the ESET researchers could not detect any decline in activities among the various hacker groups. The current report covers the period from May to August 2022 and is available on WeLiveSecurity.com.
“The aviation and defence industries remain of great interest to groups allied with North Korea. For example, Lazarus targeted an employee of an aerospace company in the Netherlands. According to our research, the group exploited a vulnerability in a legitimate Dell driver to penetrate the company. We believe this is the first ever recorded exploit of this vulnerability in the wild,” said Jan-Ian Boutin, director of ESET Threat Research. “We have also found that several groups allied with Russia have abused the Telegram messenger service to access command-and-control servers or to leak sensitive information. APT actors from other regions also tried to gain access to Ukrainian organisations, both for cyber espionage and intellectual property theft,” Boutin continues.

Cryptocurrencies: another field of activity for APT groups
Financial institutions and companies working with cryptocurrencies were the target of Kimsuky from North Korea and two campaigns by the Lazarus Group. One of these campaigns, dubbed Operation In(ter)ception by ESET researchers, deviated from their usual targets in the aviation as well as defence industries. This involved attacking an individual from Argentina with malware disguised as a job offer at Coinbase. ESET also discovered that the Konni group was using a technique that had been used by Lazarus in the past – a Trojanised version of the Sumatra PDF Viewer.

Groups based in China continued to be very active. They used various vulnerabilities and previously unreported backdoors. For example, ESET identified the Linux variant of a backdoor used by SparklingGoblin against a university in Hong Kong. In another case, the same group used a Confluence vulnerability to attack a food industry company in Germany and an engineering firm in the US. ESET Research also suspects that a ManageEngine ADSelfService Plus vulnerability was behind the compromise of a US defence contractor. Its systems were attacked just two days after the vulnerability was disclosed. In Japan, ESET identified several campaigns by the group Mirrorface, one of which was directly related to the elections for the upper house of parliament.

Iranian groups target Israel
The growing number of groups linked to Iran continued to focus their efforts mainly on various Israeli industries. ESET researchers were able to attribute an operation targeting a dozen organisations to POLONIUM and identify several previously undocumented backdoors. Companies and entities involved in or associated with the diamond industry in South Africa, Hong Kong and Israel were targeted by Agrius. ESET experts believe that this is a supply chain attack abusing Israel-based software used in the sector. In another campaign in Israel, evidence was found of possible overlap in the use of tools between the MuddyWater and APT35 groups. ESET Research also discovered a new version of Android malware in a campaign conducted by the APT-C-50 group. It was distributed by a copycat of an Iranian website and had limited spying capabilities.

About the ESET APT Activity Report

To complement the ESET Threat Report, ESET Research is publishing the ESET APT Activity Report, which aims to provide a regular overview of ESET’s findings on Advanced Persistent Threat (APT) activity. The first edition will cover the period May to August 2022, and it is planned that the report will be published alongside the ESET Threat Report from now on.

The ESET APT Acitivity Report is available on WeLiveSecurityhttps://www.welivesecurity.com/deutsch/2022/11/16/apt-activity-report-t2-2022/