Full Report
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024
Analysis Summary
# Threat Actor: MirrorFace
## Attribution & Identity
China-aligned APT group.
## Activity Summary
Observed a notable expansion in targeting, extending operations to include a diplomatic organization within the European Union (EU) for the first time, while continuing to prioritize its typical Japanese targets.
## Tactics, Techniques & Procedures
- Relying increasingly on the open-source and multiplatform SoftEther VPN to maintain access to victims' networks (Implied TTP related to network access/persistence).
## Targeting
- Sectors: Diplomatic organizations (new focus).
- Geography: Japan (Primary), European Union (EU) (New expansion).
- Victims: A diplomatic organization in the European Union.
## Tools & Infrastructure
- Malware families used: Not explicitly mentioned in relation to MirrorFace in this excerpt, but the group is associated with dependency on SoftEther VPN.
- Infrastructure (C2, domains, IPs): Not specified.
## Implications
The expansion of targeting by MirrorFace into EU diplomatic circles suggests a broadening scope beyond traditional espionage targets, potentially increasing geopolitical risk for EU member states and institutions.
## Mitigations
- Monitor for and secure against the use of SoftEther VPN for unexpected network access or lateral movement within the network, particularly for initial access/persistence purposes.
***
# Threat Actor: Flax Typhoon
## Attribution & Identity
Unspecified APT group alignment (mentioned alongside other state-aligned groups in context, but attribution not explicitly stated for Flax Typhoon itself).
## Activity Summary
ESET observed extensive use of SoftEther VPN during their monitored period.
## Tactics, Techniques & Procedures
- Extensive use of SoftEther VPN to maintain access.
## Targeting
- Sectors: Not specified.
- Geography: Not specified.
- Victims: Not specified.
## Tools & Infrastructure
- Malware families used: Not explicitly mentioned.
- Infrastructure (C2, domains, IPs): Associated with the use of SoftEther VPN.
## Implications
Indicates active exploitation of SoftEther VPN by this actor for persistent access.
## Mitigations
- Review and audit configurations for SoftEther VPN usage within the infrastructure.
***
# Threat Actor: Webworm
## Attribution & Identity
China-aligned APT group (Implied by proximity to other named China-aligned actors and context themes).
## Activity Summary
Observed switching from using its full-featured backdoor to deploying the SoftEther VPN Bridge on the machines of governmental organizations within the EU.
## Tactics, Techniques & Procedures
- Switching backdoors to SoftEther VPN Bridge for persistence/C2.
## Targeting
- Sectors: Governmental organizations.
- Geography: European Union (EU).
- Victims: Governmental organizations in the EU.
## Tools & Infrastructure
- Malware families used: Full-featured backdoor (predecessor to VPN Bridge use), SoftEther VPN Bridge.
- Infrastructure (C2, domains, IPs): Not specified.
## Implications
Suggests adaptation toward using readily available, open-source tools (like SoftEther VPN Bridge) to blend in or maintain access after initial compromise via custom malware.
## Mitigations
- Implement strong network segmentation and egress filtering, especially concerning tools like SoftEther VPN Bridge being used internally.
***
# Threat Actor: GALLIUM
## Attribution & Identity
China-aligned APT group (Implied by proximity to other China-aligned actors and context themes).
## Activity Summary
Observed deploying SoftEther VPN servers at telecommunications operators.
## Tactics, Techniques & Procedures
- Deploying SoftEther VPN servers (likely for C2 or staging).
## Targeting
- Sectors: Telecommunications operators.
- Geography: Africa.
- Victims: Telecommunications operators in Africa.
## Tools & Infrastructure
- Malware families used: SoftEther VPN servers.
- Infrastructure (C2, domains, IPs): SoftEther VPN servers deployed by the actor.
## Implications
Targets critical national infrastructure (telecoms) in Africa, indicating strategic interest in regional connectivity and data flow in that continent.
## Mitigations
- Enhance monitoring and hardening of telecommunications infrastructure, specifically looking for unauthorized SoftEther VPN installations or server endpoints.
***
# Threat Actor: Iran-aligned Groups (Generic/Collective)
## Attribution & Identity
Iran-aligned cyber groups, potentially supporting diplomatic espionage and kinetic operations.
## Activity Summary
Comprising several distinct operations:
1. Compromised financial services firms in Africa.
2. Conducted cyberespionage against Iraq and Azerbaijan.
3. Increased interest in the transportation sector in Israel.
4. Maintained global focus by targeting diplomatic envoys in France and educational organizations in the US.
## Tactics, Techniques & Procedures
- Leveraging cybercapabilities for strategic support (diplomatic/kinetic).
- Sophisticated targeting across multiple sectors (Finance, Government, Transportation).
## Targeting
- Sectors: Financial services, Diplomatic (espionage), Transportation, Education.
- Geography: Africa (Finance), Iraq & Azerbaijan (Espionage), Israel (Transportation), France & United States (Diplomatic/Education).
- Victims: Financial services firms, diplomatic envoys, educational organizations.
## Tools & Infrastructure
- Not specified in detail, but implied use of cyberespionage tools.
## Implications
These groups appear to be highly aligned with national strategic interests, using cyber operations to support foreign policy goals in politically sensitive regions (Middle East/Africa) while maintaining a broad global espionage footprint.
## Mitigations
- Harden critical infrastructure in geographically relevant regions (Finance in Africa, Transportation in Israel).
- Increased scrutiny of network traffic related to diplomatic and educational entities globally.
***
# Threat Actor: Kimsuky
## Attribution & Identity
North Korea-aligned threat actor.
## Activity Summary
Continued goal pursuit focused on funding regime activities through theft (fiat and crypto). Specifically noted beginning to abuse Microsoft Management Console (MMC) files.
## Tactics, Techniques & Procedures
- Abusing Microsoft Management Console files (`.mmc`) to potentially execute arbitrary Windows commands.
- Frequent misuse of popular cloud services (Google Drive, OneDrive, Dropbox, etc.) for exfiltration or staging.
## Targeting
- Sectors: Defense and aerospace companies, Cryptocurrency developers, Think tanks, NGOs.
- Geography: Europe and the US.
- Victims: Defense/aerospace entities, crypto developers.
## Tools & Infrastructure
- Malware families used: Abuse of MMC files.
- Infrastructure (C2, domains, IPs): Heavy reliance on legitimate cloud services (Google Drive, Microsoft OneDrive, Dropbox, Yandex Disk, pCloud, GitHub, Bitbucket).
## Implications
Kimsuky continues to focus on financial gain to support WMD programs by targeting high-value IP holders (Defense/Crypto) and using common, trusted cloud services to evade detection.
## Mitigations
- Enhance detection rules specifically looking for suspicious execution chain initiated by legitimate Windows files like MMC files interacting with system commands.
- Rigorously audit data access patterns to employee accounts utilizing major cloud storage providers.
***
# Threat Actor: ScarCruft
## Attribution & Identity
North Korea-aligned threat actor.
## Activity Summary
Reported using Zoho cloud services for malicious activity for the first time observed by ESET.
## Tactics, Techniques & Procedures
- Abusing Zoho cloud services (new technique).
## Targeting
- Sectors: Not specified.
- Geography: Not specified.
- Victims: Not specified.
## Tools & Infrastructure
- Malware families used: Not specified.
- Infrastructure (C2, domains, IPs): Used Zoho cloud services.
## Implications
Demonstrates a continuous attempt by North Korean groups to pivot and utilize new, potentially less scrutinized cloud platforms for their operations.
## Mitigations
- Review logs and security alerts for anomalous access or activity related to organizational Zoho cloud service accounts.
***
# Threat Actor: Sednit (APT28/Fancy Bear)
## Attribution & Identity
Russia-aligned cyberespionage group.
## Activity Summary
Frequently targeted webmail servers (Roundcube, Zimbra) via spearphishing involving known XSS vulnerabilities. Targeted governmental, academic, and defense-related entities worldwide.
## Tactics, Techniques & Procedures
- Spearphishing emails leading to XSS vulnerabilities in webmail servers (Roundcube, Zimbra).
## Targeting
- Sectors: Governmental, Academic, Defense-related entities.
- Geography: Worldwide.
- Victims: Global entities in the above sectors.
## Tools & Infrastructure
- Not specified beyond exploiting webmail vulnerabilities.
## Implications
Sednit remains a persistent, globally active threat focusing on high-value data available via accessible webmail interfaces.
## Mitigations
- Immediately patch all Roundcube and Zimbra installations; apply WAF rules to block known XSS patterns targeting webmail interfaces.
***
# Threat Actor: GreenCube (NEWLY NAMED RUSSIA-ALIGNED GROUP)
## Attribution & Identity
Newly named Russia-aligned group, distinct from Sednit, focusing on email theft.
## Activity Summary
Identified stealing email messages via XSS vulnerabilities present in Roundcube webmail installations.
## Tactics, Techniques & Procedures
- XSS exploitation of Roundcube to steal email messages.
## Targeting
- Sectors: Not specified (Implied high-value data targets due to email theft).
- Geography: Not specified.
- Victims: Not specified.
## Tools & Infrastructure
- Exploiting Roundcube XSS vulnerabilities.
## Implications
The emergence of a new, specialized group focused on email exfiltration via known webmail vulnerabilities highlights ongoing risk in this vector for organizations still running vulnerable webmail software.
## Mitigations
- Patch Roundcube immediately and ensure comprehensive monitoring for unusual data egress or session redirection associated with webmail logins.
***
# Threat Actor: Gamaredon
## Attribution & Identity
Russia-aligned threat actor focusing on Ukraine.
## Activity Summary
Deployed large spearphishing campaigns while reworking tools to abuse features within the Telegram and Signal messaging apps.
## Tactics, Techniques & Procedures
- Large-scale spearphishing.
- Tooling abuse/integration with Telegram and Signal messaging applications.
## Targeting
- Sectors: Not specified.
- Geography: Ukraine.
- Victims: Entities in Ukraine.
## Tools & Infrastructure
- Abuse of Telegram and Signal messaging apps for operational functionality.
## Implications
Gamaredon continues to tailor its approach specifically toward the conflict zone, integrating common communication tools into its attack framework to bypass traditional security controls.
## Mitigations
- Enhance endpoint security solutions to recognize malicious behaviors even when spawned from trusted chat applications (Telegram/Signal).
***
# Threat Actor: Sandworm (Voodoo Bear)
## Attribution & Identity
Russia-aligned threat actor.
## Activity Summary
Utilized a new Windows backdoor named WrongSens, alongside advanced Linux malware (LOADGRIP and BIASBOAT). Also associated with Operation Texonto, a disinformation/psychological operation targeting Ukrainians and Russian dissidents.
## Tactics, Techniques & Procedures
- Deployment of new Windows backdoor (WrongSens).
- Use of advanced Linux malware (LOADGRIP, BIASBOAT).
- Conducting disinformation/psychological operations (Operation Texonto).
## Targeting
- Sectors: Not specified (Implied defense/government given stated focus).
- Geography: Ukraine (Primary activity focus); Russian dissidents (Secondary target of Op Texonto).
- Victims: Ukrainian targets; Russian dissidents.
## Tools & Infrastructure
- Malware: WrongSens (Windows backdoor), LOADGRIP (Linux malware), BIASBOAT (Linux malware).
## Implications
Sandworm demonstrates full-spectrum cyber warfare capability, combining destructive/espionage malware across Windows and Linux environments with psychological warfare tailored to the conflict.
## Mitigations
- Immediate deployment of detection signatures for WrongSens, LOADGRIP, and BIASBOAT.
- Develop incident response playbooks that account for disinformation/psychological impact alongside technical compromise.
***
# Threat Actor: FrostyNeighbor
## Attribution & Identity
Belarus-aligned APT group. Gained access likely through an Initial Access Broker (IAB) who compromised the Polish Anti-Doping Agency.
## Activity Summary
The group was linked to the public hack-and-leak of the Polish Anti-Doping Agency. They are known for cyber-enabled disinformation campaigns critical of NATO.
## Tactics, Techniques & Procedures
- Gained access via an Initial Access Broker.
- Conducts cyber-enabled disinformation campaigns.
## Targeting
- Sectors: Anti-Doping/Sports Governance (Initial compromise vector).
- Geography: Likely targeting organizations critical of NATO stances.
- Victims: Polish Anti-Doping Agency (Compromised).
## Tools & Infrastructure
- Not specified, but access was brokered.
## Implications
Suggests ongoing coordination between IABs and state-aligned threat actors, where compromised organizational access is sold to actors pursuing strategic disinformation agendas against military alliances.
## Mitigations
- Increase scrutiny of any third-party providers or brokers involved during the initial access phase of security incidents.
***
# Threat Actor: APT-C-60
## Attribution & Identity
South Korea-aligned APT group.
## Activity Summary
Discovered leveraging an in-the-wild Remote Code Execution (RCE) exploit targeting WPS Office for Windows.
## Tactics, Techniques & Procedures
- Exploiting RCE vulnerability in WPS Office for Windows.
## Targeting
- Sectors: Not specified.
- Geography: Not specified (Likely South Korea interest given attribution).
- Victims: Users/organizations running WPS Office for Windows.
## Tools & Infrastructure
- Exploiting WPS Office RCE vulnerability.
## Implications
Indicates an active interest in exploiting zero-day/in-the-wild vulnerabilities in ubiquitous productivity software to gain an initial foothold.
## Mitigations
- Prioritize patching or removing vulnerable versions of WPS Office for Windows. Implement strict application control policies to limit execution from office software executables.
***
*(Note: Flax Typhoon attribution was not explicitly stated as China-aligned in the article excerpt, but grouped nearby; Generic Iran-aligned groups were summarized as a collective where specifics were tied to regions rather than a single name; Generic Russia-aligned groups were summarized under Sednit/GreenCube/Gamaredon/Sandworm as per specific activities mentioned.)*