Monthly Threat Actor Group Intelligence Report, May 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from April 21 to May 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA07 were found among SectorA hacking groups this May. Analysis of the hacking campaigns of SectorA groups over a long period of time reveals that SectorA02, SectorA05 and the newly defined SectorA07 are the most active. The increase in activity of these three groups means that the strategy, hacking purpose and direction of the entire SectorA groups are clarified. In addition, it means that the goals of each group in SectorA is now clear.

In the past, SectorA02 and Sector05 groups conducted hacking campaigns to collect advanced information related to Korea. However, these groups are currently conducting hacking campaigns to gather information on political activities in Europe, North America, and Southeast Asia, where countries that can influence the political and diplomatic activities of the SectorA government are located.

In May, the newly defined SectorA07 group was a small subgroup of the larger existing SectorA05 group. As a result of analyzing their hacking campaigns, we found that the SectorA07 group is active only for the purpose of collecting financial information from companies located in countries such as South Korea and Southeast Asia.

The SectorA02 group uses the most diverse hacking strategies and techniques in SectorA. They develop and utilize a variety of hacking strategies and techniques such as simple phishing attacks, spear phishing attacks with malware, and sophisticated social engineering techniques using KakaoTalk (a popular messenger in South Korea). On the other hand, SectorA05 and SectorA07 focused on utilizing spear phishing, which was used frequently in the past, for initial access. They use Microsoft Word or HWP file format malware selectively depending on their target victim.

We observe that SectorA is targeting specific countries less and now gathering political and economic activity information of various countries related to the SectorA government and capturing financial information in a variety of non-specific countries and regions.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In May, a total of four hacking groups were found to be active in SectorB.

In the Middle East and Southeast Asia, the activity of SectorB01 which had a low activity frequency over the past period has started to increase. The SectorB01 group used Microsoft Word files containing code execution vulnerabilities to execute malware. These files were attached to their spear phishing emails, and this technique was frequently used by other SectorB groups in the past. In May, the SectorB01 group was also found using malware that runs on the Linux operating system and it seems they are preparing their capabilities for attacks on various operating systems.

The SectorB03 group, mainly acting in North America, used the remote code execution vulnerability CVE-2019-0604 to attack Microsoft SharePoint servers, which was not used by other hacking groups in the past. They attempted to exploit the vulnerability in order to penetrate the internal network by uploading a WebShell to the target server.

SectorB09 group mainly operates in East Asia, and they use malware with characteristics similar to those used in the past. However, they are using a new hacking technique as they are masquerading their malware as a setup file of a commercial cloud service and then distributing malware to specific targets.

The SectorB16 group, acting mainly in Europe and Southeast Asia, uses only open source tools and known existing vulnerabilities. This characteristics make it more difficult to detect their hacking activity.

SectorB groups are likely to conduct hacking activities to seize relevant diplomatic information as part of a recent trade war with the United States. As a result, the frequency of SectorB group hacking campaigns is expected to increase.

3. SectorC Activity Features

In May, a total of three hacking groups were found among the SectorC groups. They perform hacking activities mainly in Europe, South America, and Eastern Europe where political friction is frequent.

The SectorC01 group mainly utilized malware recently produced in the GO language for this month. This seems to be a strategic choice because the GO programming language has heterogeneous portability and high utilization.

The SectorC02 group installs information-collecting malware which targets Microsoft Exchange Servers. This is similar to malware used in hacking campaigns in countries located in Europe in the past, and seems to be aimed at stealing e-mail information that can be used for various purposes.

The SectorC08 group conducts intensive hacking activities targeting countries in Eastern Europe where political friction continues. The malicious code found in May was in the form of an executable compressed file, 7ZipSFX, which has the characteristics of using both script files and known normal files together. This is similar to the activities of the SectorC08 group found in the past.

4. SectorD Activity Features

In May, a total of two hacking groups were found among SectorD groups. They perform hacking activities mainly on other Middle Eastern countries which they have political tensions with.

The SectorD01 group mainly conducted hacking activities for the purpose of collecting information using spear phishing emails with Microsoft Excel files that contain malicious macros, and malware using AutoHotKey and TeamViewer, both of which they have not used in the past.

The SectorD02 group also conducted hacking campaigns in the Middle East. They used spear phishing with malware for initial access, just like most other Sector groups. Recently, they used open-source penetration testing tools in their attacks, which seems to be an attempt to not leave traces of attack activity.

5. SectorE Activity Features

In May, a total of three hacking groups were found among SectorE groups. They perform hacking activities mainly against their rival countries in Central Asian, including Pakistan.

The SectorE02 group typically used spear phishing emails with an attached Microsoft Excel document with malicious macro scripts for initial access.

The SectorE05 group also used Microsoft Word malware for hacking activities, with the internals of these Word files including two files with OLE structures and two files with executable file structures.

Hacking campaigns of SectorE hacking groups have been concentrated against their competitor countries after a military physical conflict with a political rival country. Due to this political situation, the hacking campaigns of SectorE groups are expected to continue.

6. SectorF Activity Features

In May, the SectorF01 group mainly operated against China, Thailand, Cambodia and India. In addition, hacking campaigns targeting Japan automotive companies located in Southeast Asia were also found.

The SectorF01 group uses a variety of attack methods constantly: executable files disguised as document file icons, MS Word documents containing VBA macro scripts, RTF files exploiting the CVE-2017-11882 vulnerability, and WinRAR ACE Vulnerability (CVE-2018-20250). Recent hacking activities of the SectorF01 group seems to be for different purposes from the past, as they now also hack various countries and organizations for the economic development of their own country as opposed to only for political and military information.

This type of hacking activity is similar to previous attempts of another sector, SectorB, to collect technology information of Western countries in order advance their own technology and economic development. It appears that the SectorF01 group will continue to target various advanced countries and high technology industries for these purposes.

7. Cyber Crime Groups Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In May, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ04 group were mainly found in Italy, Korea, Romania, South Africa and India, and are targeted at major companies in the financial industry such as banks. The group mainly uses malware in the form of an MS Excel file containing macros script and they are using different malware and strategies across Europe and Asia.

The SectorJ09 group hacking activities observed were for hijacking credit card payment information for e-commerce platforms used in online stores in North America and universities in the US and Canada.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact