Monthly Threat Actor Groups Intelligence Report, January 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from December 21, 2018 to January 20, 2019.

1. SectorA Activity Features

A total of three hacking groups were found to be active in SectorA. While their modus operandi had been constant for the past few months, some of it has changed this time.

SectorA01 is still concentrating on financial crime using malware in countries such as Africa, Southeast Asia, and South America for financial gain.

SectorA02 and SectorA05 groups are concentrating on hacking activities aimed at stealing information related to foreign policy of South Korea, and their malware continues to be found in government agencies within South Korea.

But little by little, these hacking groups supported by SectorA have been changing their malware and hacking techniques since 2018. For example, besides their using their usual spear phishing with Hangul Word Processor (HWP) files, they have also started to use phishing with malicious scripts instead as well.

From the hacking activities by SectorA to date, we believe they will continue their activities related to financial crime and espionage aimed at South Korean government agencies.

2. SectorB Activity Features

SectorB targets countries from various regions around the world, and a total of two hacking groups activity were found to be active. Targets were found in Central Asia including Kazakhstan and East Asia including South Korea.

Groups that were active continued to use spear phishing with Microsoft Word files containing Macros , and also included the use of code execution vulnerabilities in Microsoft Office software.

From the hacking activities by SectorB to date, we believe that their targets will continue to include European and Oceanian countries for the purpose of stealing high-tech information.

3. SectorC Activity Features

SectorC targets included countries in Eastern Europe including Ukraine, Poland, Macedonia, and North America including the United States. Three hacking groups were found to be active.

Although hacking groups supported by SectorC have the characteristics of having very fast technological and strategic changes, but their malware continues to have identifying characteristics of previous versions.

Their activities in Eastern Europe seem to be aimed at stealing information on military activities related to the North Atlantic Treaty Organization (NATO) and their activities in North America seem to be aimed at stealing information related to government activities.

Since SectorC is currently engaged in hacking activities in Eastern Europe and North America, it seems likely that their political and military related espionage will continue in those regions.

4. SectorD Activity Features

SectorD targets included Europe including Belarus, Ukraine, and Sweden, East Asia including South Korea, and the Middle East centering on Saudi Arabia, Turkey, and Oman. Two hacking groups were found to be active.

Outside of the Middle East, their purpose seem to be to steal diplomatic related information from countries with political and economic cooperation with other countries in the Middle East, such as Europe and East Asia. In particular, South Korea recently had diplomatic gains in which it agreed to cooperate in seven areas through summit talks with Qatar.

Hacking techniques used by SectorD continue to include spear phishing with Microsoft Word files which contains malicious macro functions.

Based on their hacking activities so far, it seems that SectorD is starting to expand its scope to include hacking countries with political and economic cooperating with Middle Eastern countries, rather than solely targeting countries in the Middle East.

5. SectorE Activity Features

SectorE targets included Pakistan like before, but this time included East Asia including China, Hong Kong, and South Korea. Two hacking groups were found to be active.

We believe that the wider range of hacking activities by SectorE groups are aimed at stealing information on economic and policy activities of the respective governments in East Asia. China is in the process of implementing “One Belt, One Road” in Southeast Asia, and South Korea and Russia are countries known to be exporting military arms to SectorE.

Hacking techniques used by SectorE continue to include spear phishing with Microsoft Word files which exploit known code execution vulnerabilities.

Based on their hacking activities so far, it seems that SectorE is targeting countries for the purpose of stealing information related to economic and foreign policy, and targeting Pakistan for politically motivated purposes.

6. SectorF Activity Features

SectorF targets were in Southeast Asia including Vietnam. Similar to November and December 2018, their purpose seems to be stealing information related to political activities from special-purpose personnel operating inside the countries of Southeast Asia.

The hacking techniques used by SectorF groups are using Spear Phishing with links to download malicious Microsoft Word files. Depending on the target, they choose to use code execution vulnerabilities or embed malicious macros in the Microsoft Word file.

From their hacking activities in the last three months, it seems that SectorF will continue to target special-purpose personnel in Vietnam and they will continue using other kinds of hacking techniques such as Watering Hole attacks as well.

7. SectorH Activity Features

SectorH seems to have a contractual relationship for a particular purpose rather than serving as a government organization of a particular country. Their recent hacking activities are extensive, ranging from Northern European countries including Lithuania to East Asian countries including China and South Korea.

However, it seems that the group is more focused on Cyber Crime activities to steal financial information based on their hacking techniques and malware, and only carries out hacking activities for stealing information related to political, economic and diplomatic government activity on an ad hoc basis.

Based on their hacking activities so far which has very different purposes and interests depending on the target, we will need to continue observing their hacking activity in order to have enough confidence to judge their primary purpose.

The full report detailing each event together with IOCs and recommendations is available to existing NSHC ThreatRecon customers.