State-sponsored threat actors linked to China, Iran, Russia and North Korea have been very busy in the past six months: report
Based on analyses of notable activities of selected advanced persistent threat (APT) groups documented between October 2023 and end of March 2024 by researchers from its response teams and research, a cybersecurity firm has reported key trends in cyber warfare for that period.
October 2023 was the month of the Hamas-led attack on Israel, and there has been a significant increase in APT activity from Iran-aligned threat groups. Two groups, MuddyWater and Agrius, had transitioned from their previous focus (on cyberespionage and ransomware respectively), to more aggressive strategies involving access brokering and impact attacks.
Meanwhile, two APT groups, OilRig and Ballistic Bobcat, hadslowed down activities, suggesting a strategic shift toward more noticeable, “louder” operations aimed at Israel.
Other APT activity trends
In the telemetry data analyzed, other countries involved in APT attacks include:
- Russia: Groups aligned with the country have been found to focus their activities on espionage within the European Union, and on attacks against Ukraine. One instance is the Operation Texonto campaign, a disinformation and psychological operation aimed at spreading false information about Russian election-related protests and the situation in eastern Ukraine’s Kharkiv to foster uncertainty among the Ukrainians domestically and abroad.
- China: Threat actors aligned with the country have been exploiting vulnerabilities in public-facing appliances, such as VPNs and firewalls, and Confluence and Microsoft Exchange Server, for initial access to targets in multiple verticals. Based on the data leak from Chinese security services company I-SOON (Anxun), it is evidence that the Chinese contractor is indeed engaged in cyberespionage, through activities traced to the “FishMonger group”. Also, a new China-aligned APT group, CeranaKeeper, has been noted, distinguished by unique traits possibly connected by with the Mustang Panda group.
- North Korea: Aligned groups have continued to target aerospace and defense firms and the cryptocurrency industry during the period of data analysis. The APT analyses also included the exploitation of a Zero Day vulnerability in Roundcube by Winter Vivern, a group assessed to be aligned with the interests of Belarus. Additionally, a campaign in the Middle East carried out by SturgeonPhisher has been linked to the APT interests of Kazakhstan.
The APT analyses also included the exploitation of a Zero Day vulnerability in Roundcube by Winter Vivern, a group assessed to be aligned with the interests of Belarus. Additionally, a campaign in the Middle East carried out by SturgeonPhisher has beenlinked to the APT interests of Kazakhstan.
According to Jean-Ian Boutin, Director of Threat Research, ESET, the firm that released its six-month telemetry analyses findings: “The targets of most of the campaigns were government organizations and certain verticals: for example, those targeted by continued and relentless attacks on Ukrainian infrastructure. Europe experienced a more diverse range of attacks from various threat actors. Russia-aligned groups strengthened their focus on espionage in the European Union, whereas China-aligned threat actors also maintained a consistent presence, indicating a continued interest in European affairs by both Russia– and China– aligned groups.”
