Cyber security company ESET published the APT Activity Report, which summarizes the activities of advanced persistent threat (APT) groups between April and September 2023. The report, based on data monitored, researched and analyzed by ESET researchers, draws attention to the persistent attacks of China-linked groups in the European Union and the transformation of Russia’s cyber war against Ukraine from sabotage to espionage.
Cyber war is accelerating: Russia and China are on the attack!
In its report, ESET Research observed that various APT groups exploit known security vulnerabilities to leak data from government agencies or related organizations.
Russia-linked Sednit and Sandworm, North Korea-linked Konni, and Winter Vivern and Sturgeon Phisher groups not linked to any geographical region, WinRAR (Sednit, SturgeonPhisher and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern) and Outlook for Windows. By exploiting the vulnerabilities of Ukrainian (Sednit), it targeted various state organizations not only in Ukraine but also in Europe and Central Asia.
A cyber attack took place for the world-famous software: User data was stolen!
CCleaner, one of the most used software in the world, was subjected to a cyber attack. User data was compromised.
Regarding China-linked threat actors, GALLIUM has expanded its target from telecommunications carriers to government organizations worldwide, possibly by exploiting vulnerabilities in Microsoft Exchange servers or IIS servers. Presumably, MirrorFace exploited vulnerabilities in the Proself online storage service, while TA410 exploited vulnerabilities in the Adobe ColdFusion application server.
Iranian and Middle East-affiliated groups maintained a high volume of activity, focusing primarily on espionage and data theft from organizations in Israel. Notably, the fact that Iran-affiliated MuddyWater also targeted an unidentified organization in Saudi Arabia suggests the possibility that this threat actor may serve as an outreach team for a more advanced group.
The main target of Russia-linked groups has been Ukraine, where new versions of the existing RoarBat and NikoWiper wipers and a new wiper called SharpNikoWiper have been discovered, all used by Sandworm.
While other groups such as Gamaredon, GREF and SturgeonPhisher target Telegram users to leak information or at least some Telegram-related metadata, Sandworm constantly uses this service for active measurement purposes and advertises cyber sabotage operations. But the most active group in Ukraine is Gamaredon, which has significantly increased its data collection capabilities by redeveloping existing tools and introducing new ones.
North Korea-affiliated groups continued to target Japan, South Korea, and South Korea-focused organizations using phishing emails against carefully selected targets. The most active Lazarus scheme observed was the DreamJob operation, which lured targets with fake job offers for lucrative positions. This group has consistently demonstrated the ability to create malware for all major desktop platforms.
ESET researchers uncovered the operations of three previously unidentified China-linked groups: DigitalRecyclers, which repeatedly compromised a government organization in the EU, TheWizards, which conducted adversarial attacks in the middle, and PerplexedGoblin, which targeted another government organization in the EU.