Monthly Threat Actor Group Intelligence Report, April 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from March 21 to April 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA06 were found among SectorA hacking groups this April.

The scope of activity for SectorA groups found in April is much larger than in the past. Previously, their targets were mainly in East Asia and North America, but now includes many more targets around the world. Traces of hacking activities have been found in the Middle East, including Israel, Turkey and Palestine, East Asia including China and South Korea, Eastern Europe including Ukraine and Slovenia, Southeast Asia including Sri Lanka and Vietnam, and North America including the United States.

The techniques used in their hacking activities found were basically using Spear Phishing techniques with a Hangul Word Process (HWP) file or Microsoft Word file depending on the target person or organization. We also observed them using the recently discovered WinRAR vulnerability. In addition, a case of Watering Hole attack was found.

For targets in East Asia, including South Korea, their aim was stealing information related to politics and diplomacy, as well as at stealing financial information represented by virtual currencies. Elsewhere, they were concerned with military information related to military weapons and stealing diplomatic information from countries engaged in diplomatic activities related to SectorA.

The scope of the hacking activities is expected to continue to expand in the future, as the hacking activities of SectorA hacking groups are being carried out for stealing military, diplomatic, political and financial information purposes.

2. SectorB Activity Features

A total of three hacking groups, SectorB01, SectorB06, and SectorB10 were found among SectorB hacking groups this April.

SectorB hacking groups hacking activities have been found in Europe including Russia, Portugal, Germany and France, and in Asia including Mongolia, Singapore, Japan, Taiwan, Vietnam and South Korea.

SectorB hacking groups had hacked the internal network of hardware and software manufacturers in East Asia, using Microsoft’s RTF file malware as an Spear Phishing attachment, including vulnerabilities that were frequently used in the past.

These Supply Chain Attacks were linked to cases involving malware in an online game update file developed by an online gaming company in East Asia in March.

They are likely to have done so because the difficulty of directly hacking their target organizations or staff was high enough to warrant other attack routes such as using Supply Chain Attacks to gain access to their targets instead.

3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC02, and SectorC10 were found among SectorC hacking groups this April, with hacking activity targeted at countries in Europe and North America, including Britain, the United States, and Germany.

This April, SectorC hacking groups aimed at stealing information on political and diplomatic activities in European countries. They basically used Spear Phishing techniques with malware and tried to target the presidential elections in certain Eastern European countries.

In addition, SectorC10 hacking activity targeting ICS/SCADA environments has been discovered, and this group has various capabilities and tools, such as WebShells, Backdoors, and performing Credential Harvesting and Remote Command Execution.

4. SectorD Activity Features

A total of four hacking groups, SectorD01, SectorD02, SectorD05 and SectorD12 were found among SectorD hacking groups this April, with hacking activity targeted at countries in the Middle East, including the Sector’s political competitor Saudi Arabia, the United Arab Emirates, Jordan, Iraq and Turkey, and Ukraine, Estonia, Germany, and the United States, as well as South and East Asia.

SectorD hacking groups are basically using Spear Phishing techniques with malware and example phishing documents were word files using confidential U.S. State Department forms. At the same time, malware in the form of compressed files that abused the recently discovered WinRAR’s vulnerability were also found. SectorD hacking groups mainly collected political, military and diplomatic information from countries in the Middle East that are its political competitors.

However, with the recent declaration of noncompliance with some treaties of a Nuclear Agreement it is part of, hacking aimed at collecting information on government activities are expected to intensify as conflicts are expected with other countries in many areas, including politics and diplomacy.

5. SectorE Activity Features

A total of two hacking groups, SectorE02, and SectorE05 were found among SectorE hacking groups this April, with hacking activity targeted at countries including Pakistan, Bangladesh, Sri Lanka, Myanmar and Nepal.

SectorE hacking groups typically use Spear Phishing as a major hacking technique to attach web page links or Microsoft Excel documents containing VBA macro scripts to emails that mimic legitimate entities such as foreign governments, telecommunications and defense industries, or utilize malicious Microsoft Word files that exploit known code execution vulnerabilities.

The recent spate of military and physical clashes in Pakistan is feared to spread to cyberwarfare. Against this backdrop, the number of hacking activities in neighboring countries is increasing as countries seek to collect information on diplomatic activities related to Central and Southeast Asian countries.

6. SectorF Activity Features

One hacking group, SectorF01, was found among SectorF hacking groups this April, with hacking activity targeted at countries in Southeast Asia including Vietnam, Cambodia, and East Asia including Japan, China, and South Korea.

The SectorF01 Group has previously conducted hacking activities on Southeast Asian countries for its political and military interests, but these days it seems like they are also interested in hacking for economic interests.

Some of these changes in hacking purposes as mentioned earlier have also led to widespread hacking in Southeast Asia and East Asia.

The hacking techniques used by the SectorF01 Group range from watering hole attacks using scripted malicious code that exploits vulnerabilities to Spear phishing hacking techniques where malicious codes exist as attachments.

In addition, they have been using various hacking techniques, scenarios, and strategies to make malware that operates on Mac operating systems in addition to malware that operates on Windows operating systems.

7. Cyber Crime Groups Activity Features

A total of three groups, SectorJ02, SectorJ03 and SectorJ04, were found to be responsible for cybercriminal purposes this April.

The targeted areas where these hacking groups operate for cybercrime have been found in the Middle East including Palestine, the United Arab Emirates and Saudi Arabia, in the Netherlands, Luxembourg, Europe including Sweden, Macedonia, Russia and Italy, in North and South America, South Korea, Japan, Singapore, as well as in Asia and the United States and Mexico.

Those who hack for financial purposes are also found in a wide range of countries, and they have different purposes from those who are supported by a particular country. However, as of December 2018, SectorsJ03 and SectorJ04 groups have moved their hacking activities to countries in Asia.

For the purpose of cyber crime, hacking groups generally use Spear Phishing as their major hacking technique, and the attached malware mainly include macros written to perform malicious functions. In addition, they also attempt to use Windows-based malicious scripts such as PowerShell, VBScript, and BAT.

The full report detailing each event together with IOCs and recommendations is available to existing NSHC ThreatRecon customers.