Russia-affiliated APT groups, including Sandworm, continue their attacks against Ukraine with wipers and ransomware
ESET, a global leader in the cybersecurity market, today published the ESET APT Activity Report T3, covering the period September-December 2022, with the aim of providing a periodic analysis of ESET's research on the activities of APT - advanced persistent threat groups.
During this period, Russian-backed APT groups continued to be particularly involved in operations targeting Ukraine, distributing destructive wipers and ransomware. Goblin Panda, a pro-Chinese group, has begun to replicate Mustang Panda's interest in European countries. Iran-affiliated groups also continued to operate at a high pace.
In Ukraine, ESET spotted the infamous Sandworm group who used a previously unknown wiper against an energy company. APT groups are usually run by entities sponsored by a state or nation; The described attack occurred in October, around the same time that the Russian military began launching missile attacks on energy infrastructure. While ESET is unable to prove that these events were coordinated, this suggests that Sandworm and the Russian military have related objectives.
ESET has named the latest wiper, from a series of previously discovered wipers, NikoWiper, which was used against an energy company in Ukraine in October 2022. NikoWiper is based on SDelete, a command-line utility from Microsoft used for securely deleting files. In addition to data-wiping malware, ESET has discovered Sandworm attacks that use ransomware as a wiper. In these attacks, although ransomware was used, the end goal was the same as wipers: data destruction. Unlike traditional ransomware attacks, Sandworm operators do not intend to provide a decryption key.
In October 2022, ESET identified Prestige ransomware being used against logistics companies in Ukraine and Poland. In November, ESET discovered new ransomware in Ukraine, written in .NET and named RansomBoggs. ESET Research publicly reported this campaign via Twitter. In addition to Sandworm, other Russian APT groups such as Callisto and Gamaredon have continued their spearphishing campaigns against Ukraine to steal credentials and install implants.
ESET researchers also identified a MirrorFace spearphishing campaign targeting political entities in Japan and noted a gradual change in the targeting of some China-aligned groups: Goblin Panda has started to replicate Mustang Panda's interest in European countries. Last November, ESET discovered a new Goblin Panda backdoor, called TurboSlate, in a European Union government organization. Mustang Panda continued to target European organizations as well. Last September, ESET researchers detected a Korplug loader used by Mustang Panda in a Swiss energy and engineering organization.
Groups affiliated with Iran also continued their attacks: in addition to Israeli companies, POLONIUM also began targeting foreign branches of Israeli companies, while MuddyWater has likely compromised a managed security service provider.
Groups close to North Korea have used old exploits to compromise companies and cryptocurrency exchanges in various parts of the world. Interestingly, Konni has expanded the repertoire of languages used in his decoy documents to include English, meaning he may not be targeting his usual Russian and South Korean targets.
For further technical information, consult the full version dell’ESET APT Activity Report su WeLiveSecurity.
ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to customers. ESET produces in-depth technical reports and frequent updates on the activities of specific APT groups in the form of ESET APT Reports PREMIUM to help organizations charged with protecting citizens, critical national infrastructure and high-value assets from criminal and nation-state-directed cyber-attacks. More information on ESET APT Reports PREMIUM, which provides high-quality information on strategic and tactical cybersecurity threats, can be found at ESET Threat Intelligence.
