The report summarizes the activities of the APT groups in the period April-September 2024
ESET, a global European leader in the cybersecurity market, has published l’ESET APT Activity Report, which summarizes the most relevant activities of groups specialized in Advanced Persistent Threats (APTs), which were documented between April and the end of September 2024.
ESET has observed significant expansion in its China-aligned MirrorFace Group targets. Usually focused on Japanese entities, it extended operations to a diplomatic organization in the European Union for the first time, while continuing to maintain focus on targets in Japan. Additionally, pro-China APT groups are increasingly using the open-source, cross-platform VPN SoftEther to maintain access to victims' networks. Researchers have also detected signs that Iranian groups are leveraging their cyber capabilities to support diplomatic espionage and, potentially, kinetic operations.
“Regarding China-aligned threat groups, we have detected extensive use of the SoftEther VPN by Flax Typhoon, we have observed Webworm move from its full backdoor to the use of SoftEther VPN Bridge on machines belonging to government organizations in the EU, and we have seen GALLIUM deploy SoftEther VPN servers at telecom operators in Africa,” he says Jean-Ian Boutin, Director of Threat Research di ESET. "For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several threat actors aligned with China, North Korea and Russia. Many of these groups are particularly focused on government entities and the defense sector," he adds.
Iran-aligned groups, however, have compromised several financial services companies in Africa – a continent of geopolitical importance to Iran – conducted cyber espionage operations against Iraq and Azerbaijan, neighboring countries with which Iran has complex relations, and intensified their interest in Israel's transportation sector. Despite the apparent geographic limitation, Iranian groups maintain a global focus, targeting diplomatic missions in France and educational institutions in the United States.
North Korea-aligned threat actors have continued their attempts to steal funds – both in traditional currencies and cryptocurrencies. We have observed these groups continue attacks against defense and aerospace companies in Europe and the United States, targeting cryptocurrency developers, think tanks and NGOs. One of these groups, Kimsuky, began exploiting Microsoft Management Console files, usually used by system administrators but capable of executing any command on Windows. Additionally, several North Korea-aligned groups have frequently abused popular cloud-based services.
Finally, ESET Research found that Russian-aligned cyberespionage groups frequently target webmail servers, such as Roundcube and Zimbra, usually with spearphishing emails that trigger known XSS vulnerabilities. In addition to Sednit, which targets government, academic and defense-related entities around the world, ESET has identified another Russian group, GreenCube, which steals email messages via XSS vulnerabilities in Roundcube. Other pro-Russian groups continue to focus on Ukraine, with Gamaredon having deployed massive spearphishing campaigns and updating its tools also using messaging apps such as Telegram and Signal. Additionally, Sandworm used a new backdoor for Windows called WrongSens. ESET also analyzed the public hacking and data leak of the Polish Anti-Doping Agency, likely compromised by a broker who shared access with the Belarus-aligned APT FrostyNeighbor group involved in disinformation campaigns against NATO.
In Asia, ESET noted that campaigns continue to focus primarily on government organizations. However, an increase in attacks on the education sector has been noted, particularly against researchers and academics from the Korean Peninsula and Southeast Asia. This shift is driven by threat actors aligned with the interests of China and North Korea. Lazarus, one of the North Korea-aligned groups, has continued to target organizations around the world in the financial and technology sectors. In the Middle East, several Iranian APT groups continued to target government organizations, with Israel as the most targeted country.
Over the past two decades, Africa has become an important geopolitical partner for China, and Chinese groups have been observed to be expanding their activities on that continent. In Ukraine, Russian-aligned groups remained the most active, hitting government bodies, the defense sector and essential services such as energy, water and heating hard.
The highlighted operations represent a cross-section of the threat landscape that ESET has analyzed in this period.
ESET solutions protect our customers' systems from the malicious activities described in the report. The information shared here is primarily based on ESET's proprietary telemetry data. Threat intelligence analyses, known as ESET APT Reports PREMIUM, help organizations tasked with protecting citizens, national critical infrastructure and high-value assets from criminally motivated, nation-state-directed cyber attacks. More information about ESET APT Reports PREMIUM, and its offering of high-quality, strategic, tactical and actionable information on cybersecurity threats, can be found at ESET Threat Intelligence.
