The report analyzes the activities of APT groups from April to September 2023. Highlighting the campaigns of pro-Chinese groups in the EU and the evolution of the Russian-Ukrainian cyber-war. Exploited WinRAR vulnerabilities in Microsoft Exchange and IIS servers. New groups close to China discovered
ESET, a global European leader in the cybersecurity market, has published the latest report on the activities of the APT (Advanced Persistent Threat) groups analyzed by researchers between April and September of this year. In particular, ESET Research has observed several APT groups exploiting known vulnerabilities to exfiltrate data from government agencies or related organizations. The report analyzes the persistent campaigns of China-aligned groups in the European Union and the evolution of Russia's cyber-war in Ukraine which is moving from sabotage towards espionage.
The pro-Russian Sednit and Sandworm, the North Korea-aligned Konni, and the geographically unattributable Winter Vivern and SturgeonPhisher took the opportunity to exploit vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Windows (Sednit) to target various government organizations, not only in Ukraine but also in Europe and Asia central. As for China-affiliated threat actors, GALLIUM has likely exploited vulnerabilities in Microsoft Exchange or IIS servers, extending its target from telecom operators to government organizations around the world. MirrorFace likely took advantage of flaws in the online storage service Proself, and TA410 is alleged to have exploited vulnerabilities in the Adobe ColdFusion application server.
Iran- and Middle East-aligned groups continued to operate at full speed, focusing primarily on espionage and theft of data from organizations in Israel. Notably, Iran-affiliated MuddyWater also targeted an unknown target in Saudi Arabia, deploying a payload that raises the possibility that the attacker serves as a development team for a more advanced group.
The main target of the Russian-aligned groups remained Ukraine, where ESET detected new versions of the familiar wipers RoarBat and NikoWiper and a new wiper that was named SharpNikoWiper, all distributed by Sandworm. Interestingly, while other groups – such as Gamaredon, GREF and SturgeonPhisher – target Telegram users to try to exfiltrate information, or at least some Telegram-related metadata, Sandworm actively uses this service in order to publicize its cybersabotage operations. However, the most active group in Ukraine continued to be Gamaredon, which significantly improved its data collection capabilities, reworking existing tools and implementing new ones.
North Korea-aligned groups continued to focus on Japan, South Korea, and organizations in the country, using carefully crafted spear phishing emails. The most active Lazarus scheme observed is Operation DreamJob, which lured targets with fake job offers for lucrative positions. This group has demonstrated the ability to create malware for all major desktop platforms.
Finally, ESET researchers uncovered the activities of three previously unidentified China-aligned groups: DigitalRecyclers, which repeatedly compromised a government organization in the EU; TheWizards, which conducted adversary-in-the-middle attacks, and PerplexedGoblin, which targeted another government organization in the EU.
ESET APT Activity Reports contain only a portion of the cybersecurity intelligence data provided to customers. ESET produces in-depth technical reports and frequent updates on the activities of specific APT groups in the form of ESET APT Reports PREMIUM to help organizations tasked with protecting citizens, national critical infrastructure and high-value assets from criminal and nation-state-directed cyberattacks. Detailed information on the tasks described in this document has therefore previously been provided exclusively to ESET Premium customers. Further information on ESET APT PREMIUM Reports, which provide high-quality information on strategic and tactical cybersecurity threats, is available at ESET Threat Intelligence.
