APT report

ESET reports cyberthreats to Ukraine by Russian APT

Cybersecurity company ESET released its latest APT Activity Report, shedding light on coordinated threats to cybersecurity across the globe for 2022. Advanced Persistent Threats or APT, are broadly defined as targeted cyberattacks by either a single person or a coordinated team over a long period of time. Typically the objective is to obtain sensitive data from the target, which includes intellectual property, sensitive information such as financial details, a website takeover or even sabotage. The report compiles data from the period from September to December 2022 analyzed by ESET researchers.

image 1
ESET reports on APT threats for the end of 2022.

Ukraine targeted by new malware from Russian-APT Sandworm

During this period, the most notable cyberattack campaigns observed were perpetrated by Russian-aligned APTs targeting Ukraine. The most prominent was an attack by the APT group Sandworm in October targetting an energy sector company in Ukraine. Sandworm used a previously unknown wiper for the attack, a malware that deletes all the files on affected hard drives. ESET has named this wiper, NikoWiper, and it was found to be based on SDelete, Microsoft’s command line for secure file deletion.

image 2
Cyberattacks on Ukrainian energy sector linked to Russian-aligned APT Sandworm.
Image source: Bleeping Computer

The Sandworm attack against the Ukrainian energy company in October 2022 coincided with the same period of the Russian military attacks. Russian forces launched missile strikes targeted at energy infrastructure too, suggesting some form of coordination and shared objectives. While ESET does not have evidence for this coordination, ESET’s report has noted that APT groups have been known to be operated by a nation-state or state-sponsored threat actors.

More ransomware attacks and spearphising campaigns

ESET reports that Sandworm also used ransomware in the same attack, with the final objective appearing to be data loss or destruction. In this case, ransomware will be used to lock the files in company computers but Sandworm will not offer the decryption key for a ransom, as in a typical ransomware attack. More ransomware attacks were observed in this period, with the Prestige ransomware, associated with Russian-based threat actor IRIDIUM, deployed against logistics companies in Poland and Ukraine. Also in October, ESET discovered and reported on Twitter, a new ransomware in Ukraine written in .NET they named RansomBoggs. Other Russian APTs such as Callisto and Gamaredon were conducting spear-phishing campaigns in Ukraine. These are email or communication-based scams intended to steal credentials or other sensitive information.

image 3
Chinese-based APTs Goblin Panda and Mustang Panda beginning to target European countries.
Image source: SOCradar

Chinese-based APTs Target EU and Other Global Cyber Threats

Cyber threats were reported in other parts of the world as well. Chinese-based APT Goblin Panda, which typically targets the United States, have recently begun targeting European countries, a similar trend seen in another Chinese-APT, Mustang Panda. A Goblin Panda backdoor was found in a government organisation in the European Union, named TurboSlate by ESET. Similarly in Switzerland, ESET detected a Korplug loader used by Mustang Panda in an energy and engineering organisation. In Iran, the APT POLONIUM has targeted both Iranian companies and their foreign subsidiaries while the APT MuddyWater had likely compromised a security service provider. Cryptocurrency firms have more bad luck as North-Korean APTs were detected to target these firms and crypto exchanges globally with old exploits.

For full details on ESETs findings, the APT Activity Report for T3 2022 can be found on WeLiveSecurity here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.