The report details about the quarter May-August 2022. It highlights activities of Russia – North Korea, Iran – and China-aligned threat actors, including attacks on aerospace and defense industries.
According to the ESET APT Activity Report, ESET Research saw no decline in the APT activity of Russia-, China-, Iran-, and North Korea-aligned threat actors. The report aims to provide a periodic overview of ESET’s findings on the activities of advanced persistent threat (APT) groups.
In the first installment of the report, covering T2 2022 (May-August 2022) even more than eight months after the Russian invasion, Ukraine continues to be a prime target of Russia-aligned APT groups such as the infamous Sandworm, but also Gamaredon, InvisiMole, Callisto, and Turla. The aerospace and defense industry remains of interest to North Korea-aligned groups – Lazarus targeted an employee of an aerospace company in the Netherlands.
“We have noticed that in T2 2022, several Russia-aligned groups used the Russian multiplatform messaging service Telegram to access C&C servers or as an instrument to leak information. Threat actors from other regions were also trying to gain access to Ukrainian organizations, both for cyber espionage and intellectual property theft,” elaborates Jean-Ian Boutin, Director of ESET Threat Research.
“According to our research, the group abused a vulnerability in a legitimate Dell driver to infiltrate the company, and we believe this to be the first-ever recorded abuse of this vulnerability in the wild,” continues Boutin.
Financial institutions and entities working with cryptocurrency were targeted by North Korea-aligned Kimsuky and two Lazarus campaigns. ESET also spotted Konni using a technique employed by Lazarus in the past – a trojanized version of Sumatra PDF viewer.
China-aligned groups remained highly active, using various vulnerabilities and previously unreported backdoors. ESET identified a Linux variant of a backdoor used by SparklingGoblin against a Hong Kong university. The same group leveraged a Confluence vulnerability to target a food manufacturing company in Germany and an engineering company based in the US.
ESET Research also suspects that a ManageEngine ADSelfService Plus vulnerability was behind the compromise of a US defense contractor whose systems were breached only two days after the public disclosure of the vulnerability. In Japan, ESET Research identified several MirrorFace campaigns, one directly connected to the House of Councilors election.
Organizations in or linked to the diamond industry in South Africa, Hong Kong, and Israel were targeted by Agrius in what ESET Research considers a supply-chain attack abusing an Israeli-based software suite used in this vertical. In another campaign in Israel, indicators of possible tool-use overlap between MuddyWater and APT35 groups were found. ESET Research also discovered a new version of Android malware in a campaign conducted by the APT-C-50 group; it was distributed by a copycat of an Iranian website and had limited spying functionality.
