Better the devil you know than the devil you don’t. The old adage holds true for cyberattacks. Kaspersky Labs have found that Advanced Persistent Threats (APT) were looming in the Asian region. What’s worrying is the less familiar threat actors which the researchers have little experience combating.
There have been a significant number of attackers who have targeted or timed their campaigns around sensitive geopolitical incidents.
Kaspersky laps are constantly uncovering new tools, techniques and campaigns being launched by APT groups, some of which have been dormant for years. Asia being a bustling business hub have been the epicentre of APTs over the past decade. Regional groups such as the Korean-speaking Lazarus and Scarcuft were humming with activities. Researchers also discovered an implant called LightNeuron that have been used by the Russian-speaking Turla to take Central Asia and the Middle East as prey.
The following are Kaspersky Lab’s log of global cyber-attacks.
The Olympic Destroyer makes a come back
Bad things come in pairs. Research suggests that the faceless actor responsible for Olympic Destroyer just might be the culprit for the latest Russian-speaking threat actor Sofacy. The Olympic Destroyer a potent malware that caused mass disruption in the 2018 Winter Olympics in Pyeonchang, made a comeback targeting financial organizations in Russia. It also attempted to attack biochemical threat prevention laboratories in Europe and Ukraine.
The Lazarus Group’s Cyberespionage Campaign
The Lazarus group also known as the BlueNoroff is one of the world’s most notorious cybercrime groups, made up of an unknown number of individuals. This high profile APT targeted several financial institutions in Turkey and casinos in Latin America, as part of a cyberespionage campaign. Despite the ongoing North Korean peace talks, these attacks suggests that the Lazarus Group is financially motivated.
Scarcruft the Relatively New but Potent APT
Researchers have recently observed a relatively high activity from the Scarcruft APT. This particular threat actor has taken victims from Russia, Nepal, South Korea, China, India, Kuwait and even Romania. They do this by using Android malware and launching an operation with new backdoor researchers named POORWEB.
Smell a Rat? It’s LuckyMouse APT.
LuckyMouse APT goes by APT 27. The ambiguity in name allowed the Chinese-speaking threat actor to abuse Asian Internet Service Providers (ISP). LuckyMouse APT launched a waterhole attack through high profile websites. The vicious attack targeted the website’s end users. By infecting the website, the APT is able to gain unauthorized access into the end user’s networks, and eventually their place of employment’s network.
The attacks were strife in Kazakh and Mongolian governmental entities. Unsurprisingly, the attacks were around the time when these governments had a meeting with the People’s Republic of China’s statesmen.
The VPNFilter Campaign
Domestic networking hardware and storage solutions were threatened by the VPNFilter campaign. The Campaign was uncovered by Cisco Talos and the FBI. The FBI attributes the VPNFilter campaign to Sofacy or Sandworm. [wtheck is sofacy and sandworm].
The threat can even inject malware into traffic in order to infect computers behind the infected networking device. Most worryingly, Kaspersky Lab’s analysis confirmed that traces of this campaign can be found in almost every single country.
Concluding Remarks
All in all, the second quarter of 2018 revealed interesting developments in APT activity. The threats received only confirm the fear of how destructive APT activity can be. Kaspersky advices that networking hardware is predisposed to targeted attacks. Furthermore, warnings regarding the
The Q2 APT Trends report summarizes the findings of Kaspersky Lab’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com
The Q2 APT Trends summary report can be found on Securelist