Monthly Threat Actor Group Intelligence Report, June 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21 to June 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, SectorA05 were found among SectorA hacking groups this June. The SectorA group was mainly active in the Middle East, Southeast Asia, and East Asia in June, targeting countries such as Jordan, Philippines, South Korea, and Japan.

The SectorA01 group mainly sent spear phishing emails to the Middle East and Southeast Asia which had Microsoft Office document files attached to them. However, in June, another case was discovered where they attached executable type malware that was disguised as a job application form.

The SectorA02 and SectorA05 groups are active mainly for monetary profit but based on their hacking techniques and malware features, each groups are aimed at different targets. The SectorA02 group mainly targets financial companies or companies related to cryptocurrency trading, but the SectorA05 group targets individuals who hold cryptocurrency. In the past, the two groups used spear phishing emails which attached malicious HWP or executable files. Recently, they have also used spear phishing emails impersonating cryptocurrency exchanges or government agencies.

Recently, the SectorA groups have been acting in parallel to target both diplomatic information related to their government and gain monetary benefits. In the past, they mainly targeted financial companies and cryptocurrency exchanges in order to earn monetary benefits. but nowadays they extended their range of hacking targets to include individual holders of cryptocurrency. Attention is needed as their range of activities expand.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In June, a total of six hacking groups were found to be active in SectorB. Activities of each group were found in the following countries: SectorB01 group activity was discovered in Southeast Asia and Europe, mainly in the Philippines, Netherlands, and Ukraine. SectorB03 group activity was discovered in the Middle East, mainly in Saudi Arabia. SectorB04 group activity was discovered in East Asia, Middle East and Europe, mainly in Taiwan, Philippines, Turkey, and Austria. SectorB06 group activity was discovered in the Middle East, mainly in Turkey and Kazakhstan. SectorB09 group activity was discovered in East Asia and North America, mainly in Japan, Hong Kong, Taiwan and Canada. SectorB14 group activity was discovered in East Asia and North America, mainly in the South Korea and the United States.

They maintain their existing hacking techniques – using Spear Phishing emails with malicious Microsoft Office document files attached. Recently, they also attacked Microsoft SharePoint servers and MySQL servers that are connected to the Internet using new vulnerabilities and web shells. In addition, new malware targeting the Linux operating system has been found.

In the past, SectorB groups focused more heavily on North America, but recently attacks in the Middle East, Southeast Asia and East Asia have also increased. We believe this is related to their recent political and diplomatic situations and it is likely that the hacking activities in the Middle East, Southeast Asia, East Asia will continue for the time being.

3. SectorC Activity Features

A total of three hacking groups, SectorC02, SectorC08, SectorC11 were found among the SectorC groups in June. They were active mainly in Europe – Moldova, Ukraine and Germany – where they frequently have political friction with. They are constantly using spear phishing emails with malware, but there are gradual changes in the characteristics of the attached executable files. They continue to use open source programs such as the remote control programs, UltraVNC, and start to develop their malware with open source code. This is presumably done to bypass security solutions and analyst detection, and also interferes with intelligence analysis efforts to track attackers. SectorC groups are expected to continue hacking activities in countries which it has political and diplomatic conflicts with for the time being.

4. SectorD Activity Features

In June, a total of two hacking groups were found among SectorD groups. They targeted countries in the Middle East which they have a politically competitive relation with. Activities of each group were found in the following countries: SectorD02 group activity was discovered extensively in Middle Asia to Middle East, mainly in Hong Kong, Sweden, Tajikistan, United Arab Emirates, Saudi Arabia, Iraq, Jordan, France, United States and Mexico. SectorD11 group activity was discovered in Middle Asia to Middle East.

They are constantly using spear phishing emails attached to Microsoft Office document files. In particular, obfuscated macro scripts and PowerShell code are embedded in these document files to download additional malware. The SectorD11 group also develops and distributes malware that runs on Android smartphones for the purpose of monitoring civilian who are against SectorD government.

Currently, the SectorD hacking groups have increased the frequency of hacking activities against Western countries. This is mainly targeting the United States, which they have political and military disputes with, but also a pro-American nation in the Middle East. It is likely that the activities of SectorD hacking groups will be greatly dependent on how the US exerts its influence and military activities in the future.

5. SectorF Activity Features

The SectorF01 group was discovered performing hacking activities in Southeast Asia, Europe and North America, including Vietnam, United Kingdom and the United States. They have consistently used spear phishing emails with attached Microsoft Office document files, but recently attached compressed files containing obfuscated HTA script files as well. This bypasses the detection of security solutions using script-based malware and avoids making the target suspicious as it launches normal documents when running the HTA file.

Analysis of the recent hacking activity of SectorF01 shows they seem to have two purposes. The first is surveillance of organizations and individuals who are against their government. The second is the collection of high-tech info from advanced countries that are nurturing high-tech and industrial technologies, which assists their government’s economic development and upgrading purposes. Recently, the hacking activity of SectorF01 for the purpose of high-tech corporate espionage is increasing, and it is likely that their activities targeting high tech companies and countries will continue to increase in the future.

6. SectorH Activity Features

The SectorH01 group appears to be active as a contractor rather than belonging officially to a national security agency. Their hacking activities were found in Southeast Asia and South America, including India and Brazil. They mainly use spear phishing emails with Microsoft Office document files.

In this case, macro scripts within document files make use of PowerShell to download additional scripts from Pastebin (a text file storage site). This minimize the exposure of their next stage payload even if their initial malware is detected by a security solution, and can bypass the detection of security solution by using an external web site which is open to the Internet for distribution of their malware. SectorH01 group’s hacking activities were mainly carried out on their political competitor, India. However, recently their activities have been found in other regions, and we will continue monitoring them in order to further understand the purpose of the SectorH group.

7. Cyber Crime Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In June, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ01 group are mainly found in China, Germany, Slovenia, Sweden, Romania, Russia, US, Brazil, and Costa Rica. The SectorJ01 group uses Spear Phishing emails which have attached documents that utilize known code execution vulnerabilities in Microsoft Office. They also use Cobalt Strike, a common penetration testing tool.

SectorJ04 Group is one of the most active groups in recent years, and its activities have been found in a wide range of regions: Europe, Asia, North and South America, Africa. Specific countries include Switzerland, Russia, Macedonia, France, Ukraine, Italy, Germany, France, South Korea, Philippines, Taiwan, China, USA, Ecuador, and Senegal.

Similar to the past, they use spear phishing emails which have attached Microsoft Office document files with embedded macro scripts that will download malware. Sometimes they use HTML file attachments too. Recently, the SectorJ04 group hacked organizations such as universities, manufacturing companies, and construction companies, so their targets were not limited to just financial companies anymore. They have also extended their activities to industrial areas, where the security posture is typically relatively weaker compared to financial companies, so this is one way they are attempting to generate high profits through low effort. As SectorJ04 group’s hacking targets are diversified, it is likely that many cases of financial losses will occur in various countries across many industries.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact