APT Activity Report T3 2022 from ESET shows: Groups allied with China have shifted their activities to European countries.
While the US and China are arguing about the shooting down of the “spy balloon”, the APT Activity Report shows that the research findings on selected Advanced Persistent Threat (APT) groups – based on data from September to December 2022 – Ukraine continues to be targeted by Russian hackers such as Sandworm, Callisto or Gamaredon.
Chinese threat actors make Europe unsafe
“European countries are becoming more and more interesting for Chinese APT groups. Normally, hacker groups allied with China, such as Goblin Panda and Mustang Panda, focused their activities more on Southeast Asia,” explains Jan-Ian Boutin, director of ESET Threat Research. In November 2022, the researchers found a new backdoor called TurboSlate in a government organisation in the European Union. The malware could be traced back to Goblin Panda, which is apparently copying activities from the APT group Mustang Panda. The latter discovered European targets for themselves in early 2022.
“The cyber espionage group is known for attacking government institutions, companies and research institutes. Last September, we discovered a Korplug loader used by the hackers on a company in the Swiss energy and technology sector,” Boutin continued.
Cyber war in Ukraine continues
The notorious Sandworm group also remains very active and continues its operations against Ukraine. Researchers came across a previously unknown wiper used against an energy sector company in the Eastern European country in October 2022. The attack described took place at the time when Russian forces began launching missile attacks against energy infrastructure. Although ESET cannot prove that these events were coordinated, this suggests that Sandworm and the Russian military are pursuing similar goals.
The NikoWiper malware is based on SDelete, a Microsoft command-line utility used to securely delete files. In addition to data-deleting malware, ESET researchers also discovered attacks by Sandworm that used ransomware as a wiper. The encryption software had the same goal as the wipers, it was exclusively about destroying data. This is particularly evident in the fact that the provision of a decryption key was never planned.
In addition to Sandworm, other Russian APT groups such as Callisto and Gamaredon also continued their spearphishing campaigns against Ukraine to steal credentials and install malware. For example, the ransomware Prestige was used against logistics companies in Ukraine and Poland. A month later, ESET researchers found new encryption software written in .NET called RansomBoggs in Ukraine.
Iran and North Korea still operate on a large scale
Groups allied with Iran also continue their attacks – in addition to Israeli companies, POLONIUM also targeted the foreign subsidiaries of Israeli companies. The Iranian APT group MuddyWater is also suspected of having compromised a managed security services provider.
The North Korea-linked hacking group Konni used old vulnerabilities to compromise cryptocurrency companies and exchanges in different parts of the world. ESET researchers discovered that the threat actors have added English to the repertoire of languages it uses in its deception documents. This suggests that they are no longer limiting their reach exclusively to the usual Russian and South Korean targets.