Monthly Threat Actor Group Intelligence Report, August 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21, 2020 to August 20, 2020.

1. SectorA Activity Features

A total of two hacking groups, SectorA01 and SectorA05, were discovered among SectorA groups this August.

SectorA01 group hacking activity was found in South Korea, Germany, Romania, Russia, China, France, Hong Kong, Israel, Italy, India, Australia, the United States, Japan, the United Kingdom, Latvia, Netherlands, Georgia, Sweden, Estonia, Ukraine, Lithuania, Mexico, Argentina, Switzerland and Philippines. They used malware, which was written under the theme of contract documents and job announcements of certain defense companies and airlines. And, They used the various methods include Spear Phishing Email and Social media messages to deliver a link to a file store service that could download malware.

SectorA05 group hacking activity was found in South Korea and India. They conducted hacking activities using MS Word malware and the executable file disguised as Hangul (HWP) documents, and all discovered malwares were written under the theme of event guidance related to inter-Korean relations.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of two hacking groups, SectorB01 and SectorB22 group were discovered among SectorB groups this August.

SectorB01 group hacking activity was found in Taiwan, the United States, China, France, Hong Kong and Japan. They used executable malware written in Python, which is access the attackers Github repository. It has features such as collecting credential and network information, and download backdoor. In addition, MS Excel malware disguised as a quarterly report summary was also found, in which case malware written in “.NET” from the attacker’s server is downloaded.

SectorB22 group hacking activity was found in the United Kingdom and Colombia. They performed hacking activities using shortcut file (LNK) disguised as meeting minutes, which is including an HTA script that generate DLL and EXE written in “.NET”.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of two hacking groups, SectorC01 and SectorC08, were discovered among SectorC groups this August.

SectorC01 group hacking activity was found in Azerbaijan, Netherlands, Germany and Bulgaria. They used MS Word malware disguised as a Beirut explosion incident report and downloaded malicious payloads from the hard-coded attacker’s server when executing the document.

SectorC08 group hacking activity was found in Ukraine and Denmark. Over the past few months, they have used MS Word malware, which uses the Template Injection method for attacks. In the activity, they attached malware disguised as COVID-19 related documents to spear phishing emails targeting the Danish Ministry of Culture.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located around the country supporting SectorC.

4. SectorD Activity Features

A total of one hacking group, SectorD01 was discovered among SectorD groups this August.

SectorD01 group hacking activity was found in Pakistan, the United Arab Emirates, the United Kingdom, Saudi Arabia, Iraq, Bahrain and Armenia. They carried out attacks mainly on telecom operators located in the Middle East, and in this activity a number of malwares targeting Windows 64-bit environments were found.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of one hacking groups, SectorE04 was discovered among SectorE groups this August.

SectorE04 group hacking activity was found in Japan, India, the United Kingdom, Taiwan and France. They used RTF files and MS Word files that contained vulnerabilities, the same as those found last month. When malicious documents are executed, built-in vulnerabilities operate and the DLL Side Loading method, which loads malicious DLLs into legitimated programs.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic, and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorH Activity Features

A total of one hacking groups, SectorH01 was discovered among SectorH groups this August.

SectorH01 group hacking activity was found in the United States, Bosnia, France, Germany, Poland, Spain, Austria, South Korea, Brazil, Netherlands, Hungary, Turkey, Macedonia, Belgium, Russia, the United Kingdom, South Africa and Algeria. The attacker used a spear phishing email and used a malicious RTF document containing the vulnerability, an MS Word file, and a shortcut file (LNK).

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with India continues increase, activities to gather high-level military and political information from them will also continue.

7. SectorR Activity Features

A total of one hacking groups, SectorR01 was discovered among SectorH groups this August. SectorR01 group hacking activity was found in China. They were found to have attached compressed files containing malware, or to have carried out hacking activities targeting various Research center in China using spear phishing emails with malicious links. In the case of malicious links, it redirects to a phishing website to collect login information, collects Keystroke logging, and sends it to the attacker’s server. In the case of the compressed file, a shortcut file to access the attacker’s server was included inside, or an RTF file with a vulnerability was included. The purpose of the hacking activities of the SectorR hacking groups are aimed at collecting high-level information on government activities, including political, diplomatic and military activities involving the China, which is in rivalry with countries that support SectorR.

8. Cyber Crime Activity Features

A total of five hacking groups, SectorJ01, SectorJ04, SectorJ09, SectorJ14 and SectorJ21, were discovered among SectorJ groups this August.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ01 group hacking activity was found in the United States and the United Kingdom. They sent a spear phishing email disguised as a waybill message sent by an international freight forwarder, and a compressed file containing a VBS script was identified in the hacking activity.

SectorJ04 group hacking activity was found in Singapore, Netherlands, the United States, Sweden, India, Romania, the United Kingdom, Italy, Argentina, Germany, South Korea and Brazil. They maintained an initial infection method that included MS Office malware in spam mail. The malware, which is finally installed in the infected system, is a downloader-type malware developed by SectorJ04 group that distributes additional malwares such as Remote Administration Tool (RAT), Ransomware, and Online Banking Trojan within the system.

SectorJ09 group hacking activity was found in Czechia, the United States, Luxembourg, the United Kingdom, South Korea, Germany and Sweden. They insert obfuscated Skimming scripts into the Web site to collect usernames, addresses, e-mails, phone numbers and credit card payment information from the payment page.

SectorJ14 group hacking activity was found in Japan, Taiwan, the United States and South Korea. They produced and distributed Android malware written under various themes, and malware disguised as a courier company’s application and a bank application located in Japan was found, just like the last hacking activity.

SectorJ21 group hacking activity was found in Russia, the United Kingdom, Belgium and Slovenia. The attacker used a spear phishing email with a link that could download malware, and the executable compressed file malware displays a decoy document on the screen to avoid suspicion from the user. It used the Russian filename associated with the employee’s annual bonus or appointment letter.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.