More than seven geopolitically-motivated threat groups are on the prowl, and they take no prisoners in their increasingly aggressive agendas.

Hungry for intelligence and data, 2019 was a busy year for cybercriminals as they launched new attack tools, including spying through mobile malware to achieve their goal to steal information from government and military entities and organisations across the region.

The region is home to countries with very diverse ethnicities, political views, and economic development. This shapes the diversity of cyberattacks in Southeast Asia (SEA) and drives a regional arms race. What is common for most of the countries is the intent to develop capacity to launch cyberattacks.

Said Vitaly Kamluk, Director for Global Research and Analysis Team (GReAT) Asia Pacific, Kaspersky: “Advanced persistent threat (APT) attackers have been developing better tools, becoming more attribution-cautious, technically more advanced and eager to go for higher aims. Geopolitics is one of the main factors that shape the cyber threat landscape in Southeast Asia. A number of our investigations into APT attacks targeting the region last year showed the main attack motivation as being economical and geopolitical intelligence gathering. Inevitably the main victims are mostly government organisations, diplomatic entities, and political parties.”

Kaspersky had on 24 Feb unmasked the cybercriminal groups who operated and are still operating in Southeast Asia (SEA). Findings of the global cybersecurity company reveal a major trend in the SEA’s threat landscape—increased activity of major Advanced Persistent Threat (APT) groups waging sophisticated cyberespionage. Here are the main APT groups and the types of malware which defined the threat landscape in Southeast Asia in 2019 and until 2020.

(Targets in SEA: Myanmar, Singapore, Vietnam)

This HoneyMyte threat actor started a new spearphishing campaign in mid-2018 which continued through 2019 and targeted different government organisations from Central and SEA countries with victims also remotely located in other countries and regions. Among these remote victims, Kaspersky has detected entities based in Singapore to be targeted by this wave of attacks.

Government organizations of Myanmar and Vietnam were also among the main targets of HoneyMyte which uses malicious Lnk samples, PlugX, powershell and .Net malware.

(Targets in SEA: Malaysia, Philippines, Thailand, Vietnam)

This Chinese-language actor has been active for at least a few years and possesses different implants with various capabilities. Since mid-2018, researchers had seen continuing high activity from this threat actor and among their targets were a number of high-level government organizations as well as some political parties from various Asian countries including the Philippines, Thailand, Vietnam, and Malaysia.

The campaign comprises a number of cyber espionage tools with various capabilities. As of the latest monitoring of the global cybersecurity company, FunnyDream’s espionage attacks are still ongoing.

(Targets in SEA: Indonesia, Malaysia, Vietnam)

Platinum is one of the most technologically advanced APT actors with a traditional focus on the Asia Pacific (APAC) region. In 2019, Platinum used a new backdoor which was dubbed as “Titanium”, named after a password to one of the self-executable archives.

Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software—protection related, soundchip-driver software, and DVD video creation tools.

Diplomatic and government entities from Indonesia, Malaysia, and Vietnam were identified among the victims of this new sophisticated backdoor discovered from the Platinum actor.

(Targets in SEA: Laos, Philippines, Thailand, Vietnam)

Another APT group which targeted SEA countries in 2019 was the Chinese-speaking actor called “Cycldek”. Although the main targets of Cycldek’s new activities suggest extensive foothold in government networks in Vietnam and Laos, Kaspersky has also observed 3% of the group’s targets were from Thailand. The global cybersecurity company has also identified one victim in the Philippines during its 2018-2019 wave of attacks.

Cycldeck is also known as Goblin Panda and is infamous for conducting information theft and espionage across the government, defence, and energy sectors in the region using PlugX and HttpTunnel malware variants.

(Targets in SEA: Indonesia, Myanmar, Vietnam)

FinSpy is spyware for Windows, macOS, and Linux that is sold legally. It can be installed on both iOS and Android with the same set of functions available for each platform. The app gives an attacker almost total control over the data on an infected device.

The malware can be configured individually for each victim and in such a way that provides the attack mastermind with detailed information about the user, including contacts, call history, geolocation, texts, calendar events, and more. It can also record voice and VoIP calls, and intercept instant messages.

It has the ability to eavesdrop on many communication services — WhatsApp, WeChat, Viber, Skype, Line, Telegram, as well as Signal and Threema. Besides messages, FinSpy extracts files sent and received by victims in messaging apps, as well as data about groups and contacts.

In early 2019, Kaspersky has reported about the new version of FinSpy iOS implant and later in the year detected new Android implant from this cyberespionage solution provider in the wild and another RCS (Remote Control System) implant from another company providing cyber-espionage solutions.

According to Kaspersky’s telemetry, individuals in Indonesia, Myanmar, and Vietnam were found among the targets of these two types of malware.

(Targets in SEA: Indonesia, Malaysia, Vietnam)

Another mobile malware which affected several nations in SEA is PhantomLance, a long-term espionage campaign with spyware trojans for Android deployed in different application markets including Google Play. After discovering samples, Kaspersky has informed Google which has removed it as well.

RCS (Remote Control System) developed by a company providing cyber-espionage solutions were both found targeting Indonesian, Malaysian, and Vietnamese entities.

(Targets in SEA: Malaysia, Thailand)

Zebrocy is a Russian-centric APT which initially shared limited infrastructure, targets, and interests with Sofacy. Zebrocy also shared malware code with past BlackEnergy/Sandworm; and targeting, and later very limited infrastructure with more recent BlackEnergy/GreyEnergy.

The group’s Nimcy backdoor developed in Nimrod/Nim programming language targeted Malaysian and Thai entities. Nimcy is the new addition to Zebrocy’s collection of languages to develop their main functionalities in new backdoors.

Watching HoneyMyte like a bee

Among all the APTs presented here, the HoneyMyte APT has been active in the region and Singapore for several years. The group has adopted different techniques to perform its attacks over the past couple of years, and has targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium, Nepal, Australia and Singapore.

Last year, the group targeted government organisations related to natural resource management in Myanmar and a major continental African organisation, suggesting that one of the main motivations of HoneyMyte is gathering geopolitical and economic intelligence. While the group targeted a military organisation in Bangladesh, it is possible that the individual targets were related to geo-political activity in the region.

Said Yeo Siang Tiong, General Manager for Southeast Asia, Kaspersky: “There is much to be gained by targeting multinationals and diplomatic institutions that have set up their base of operations in Singapore, and our findings on the threat landscape in Singapore and SEA last year revealed a glaring need for both public and private institutions to beef up their cybersecurity capabilities. Cybercriminal groups like the ones listed above employ covert infiltration schemes and attack methods, and cybersecurity measures need to go beyond the usual anti-virus and firewall solutions. We advocate information sharing in the industry, like the intelligence-sharing pact we renewed last year with the INTERPOL, as we believe that cooperation is the best way to get the upper hand against these cyberespionage groups.”