According to the report by ESET researchers, APT groups linked to Russia continued to take part in operations specifically targeting Ukraine, using destructive data wipers and ransomware during this period. Goblin Panda, a Chinese-affiliated group, began to copy Mustang Panda's interest in European countries. Iran-linked groups are also operating at a high level. Along with Sandworm, other Russian APT groups such as Callisto, Gamaredon continued their phishing attacks targeting Eastern European citizens.
The highlights of the ESET APT Activity Report are as follows:
ESET has detected that in Ukraine the notorious Sandworm group is using previously unknown data wiper software against an energy sector company. Operations of APT groups are usually carried out by state or state-sponsored participants. The attack came at the same time as the Russian armed forces launched missile strikes targeting energy infrastructure in October. While ESET cannot prove the coordination between these attacks, it envisions Sandworm and the Russian military having the same goal.
ESET has named NikoWiper the latest in a series of data wiper software previously discovered. This software was used against a company operating in the energy sector in Ukraine in October 2022. NikoWiper is based on SDelete, a command line utility Microsoft uses to securely delete files. In addition to data-wiping malware, ESET discovered Sandworm attacks that use ransomware as a wiper. Although ransomware is used in these attacks, the main purpose is to destroy data. Unlike common ransomware attacks, Sandworm operators do not provide a decryption key.
In October 2022, Prestige ransomware was detected by ESET as being used against logistics companies in Ukraine and Poland. In November 2022, a new ransomware written in .NET called RansomBoggs was discovered in Ukraine. ESET Research made this campaign public on its Twitter account. Along with Sandworm, other Russian APT groups such as Callisto and Gamaredon continued their Ukrainian targeted phishing attacks to steal credentials and implant implants.
ESET researchers also detected a MirrorFace phishing attack targeting politicians in Japan, and noticed a phase shift in the targeting of some China-linked groups – Goblin Panda has begun copying Mustang Panda's interest in European countries. In November, ESET discovered a new Goblin Panda backdoor it calls TurboSlate at a government agency in the European Union. Mustang Panda also continued to target European organizations. In September, a Korplug loader used by Mustang Panda was identified at an enterprise in Switzerland's energy and engineering sector.
Iran-linked groups also continued their attacks – POLONIUM began targeting Israeli companies as well as their foreign subsidiaries, and MuddyWater likely infiltrated an active security service provider.
North Korea-linked groups have used old security vulnerabilities to infiltrate cryptocurrency companies and exchanges around the world. Interestingly, Konni expanded the languages he used in his trap documents, adding English to his list; which could mean it's not focusing on its usual Russian and South Korean targets.
Be the first to comment