Advanced persistent threat (APT) activity in the second three months of 2019 included a number of operations targeting or originating in the Middle East and South Korea. Much of the activity was focused on cyber-espionage or financial gain, but at least one campaign appears to have been intended to spread disinformation. In May, Kaspersky researchers analyzed the online leak of apparent cyber-espionage assets belonging to an Iranian entity, and concluded that the actor behind the dump could be Hades, a group also linked to ExPetr and the cyberattack on the 2018 Winter Olympic Games. These and other APT trends across the world are covered in Kaspersky’s latest quarterly threat intelligence summary.
The quarterly APT trends summary is drawn from Kaspersky’s private threat intelligence research, as well as from other sources, and highlights the main developments that researchers believe everyone should be aware of.
In the second quarter of 2019, Kaspersky researchers observed some interesting activity in the Middle East. This included a series of online leaks of assets such as code, infrastructure, group and apparent victim details, allegedly belonging to known Persian-speaking threat actors, OilRig and MuddyWater. The leaks originated from different sources but all appeared within a few weeks of each other. The third online leak, which apparently exposed information related to an entity called the “RANA institute”, was published in Persian on a website named “Hidden Reality”. Kaspersky researchers’ analysis of the materials, infrastructure and the dedicated website used, led them to the conclusion that this leak could be connected to the threat actor Hades. Hades is the group behind the OlympicDestroyer incident targeting the 2018 Winter Olympic Games, as well as the ExPetr worm, and various disinformation campaigns like the 2017 leak of emails relating to Emmanuel Macron’s presidential election campaign in France.
Further APT highlights in Q2, 2019 include:
- Russian-speaking groups continue to consistently refine and release new tools, and to launch new operations. For example, since March, Zebrocy appears to have turned its attention towards Pakistan/India events, officials, and related diplomats and military, as well as maintaining ongoing access to local and remote Central Asian government networks. Turla’s attacks continued to feature a rapidly evolving toolset and, in one notable instance, the apparent hijacking of infrastructure belonging to OilRig.
- Korean-related activity remained high while the rest of South East Asia was quieter than in previous quarters. Operations worth mentioning include an attack by the Lazarus group targeting a mobile gaming company in South Korea; and a campaign by BlueNoroff, the Lazarus sub-group, targeting a bank located in Bangladesh and crypto-currency software.
- Researchers also observed an active campaign targeting government bodies in Central Asia by Chinese-speaking APT group SixLittleMonkeys, using a new version of the Microcin Trojan and a RAT that Kaspersky calls HawkEye as a last stager.
“The second quarter of 2019 shows just how clouded and confusing the threat landscape has become, and how often something is not what it seems. Among other things, we saw a threat actor hijacking the infrastructure of a smaller group, and another group possibly capitalizing on a series of online leaks to spread disinformation and undermine the credibility of exposed assets. The security industry faces an ever-growing task to cut through the smoke and mirrors to find the facts and threat intelligence that cybersecurity relies on. As always, it is important to add that that our visibility is not complete, and there will be activity that is not yet on our radar or not fully understood – so protection against both known and unknown threats remains vital for everyone,” said Vicente Diaz, Principal Security Researcher, Global Research and Analysis Team, Kaspersky.
The APT trends report for Q2 summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest Threat Intelligence, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- As many targeted attacks start with phishing or other social engineering technique, introduce security awareness training and teach practical skills, for example through the Kaspersky Automated Security Awareness Platform.
