High levels of advanced persistent threat (APT) group activity from Russia, China, Iran and North Korea has continued since the Russian invasion of Ukraine, according to the ESET APT Activity Report T2 2022.
ESET researchers analyzed cyber activities of many of these groups, which are usually operated by a nation-state or by state-sponsored actors, during the period May to August 2022. Their activities are generally undertaken for the purposes of harvesting sensitive data from governments, high-profile individuals or strategic companies.
Jean-Ian Boutin, director of ESET Threat Research told Infosecurity that while APT groups in the four countries are continuing to be highly active, there have been no signs of coordination between these regions.
“We have not seen signs of collaboration between groups that have a different country alignment. They sometimes target the same organizations, but we have no evidence that they are collaborating. We believe that in those cases, they have similar goals and thus, overlapping targets,” he commented.
Russia
Unsurprisingly, Russia-aligned APT groups were particularly active in targeting Ukraine over the four-month period. One of the most “continuously active” was Gamaredon, which the report noted has been prominent in targeting Ukrainian government entities throughout 2022. This group “constantly modifies its tools to evade detection mechanisms,” said the report, and has recently started to use a third-party service, ip-api.com, for resolving IP addresses of its C&C servers instead of regular DNS.
Other Russian APT groups highlighted for their role in targeting Ukraine over this period included Sandworm, Gamaredon, InvisiMole, Callista and Turla. Sandworm, which ESET linked to an attempt to deploy a new version of Industroyer malware against high-voltage electrical substation in Ukraine in April 2022, has since used the ArguePatch loader to launch payloads like CaddyWiper. This has impacted at least three Ukrainian organizations, two of which were local governments, said the report.
ESET believes Sandworm is using social media platform Telegram to leak information stolen during CaddyWiper campaigns, an approach increasingly being taken by other Russian APT actors.
“We have noticed that in T2 2022, several Russia-aligned groups used the Russian multiplatform messaging service Telegram to access C&C servers or as an instrument to leak information. Threat actors from other regions were also trying to gain access to Ukrainian organizations, both for cyber espionage and intellectual property theft,” commented Boutin.
Despite the continued attacks, speaking exclusively to Infosecurity, Boutin noted “a slow-down in the operations of threat actors targeting Ukrainian organizations.”
He explained: “In the first few months of the war, we were seeing more attacks using various wiper families targeting a wider array of organizations. In the past few months, we saw wiper campaigns as well, but mostly using CaddyWiper and on a much slower cadence than at the beginning of the conflict.”
No tags.
