Monthly Threat Actor Group Intelligence Report, September 2020
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from August 21, 2020 to September 16, 2020.
1. SectorA Activity Features
A total of two hacking groups, SectorA01 and SectorA05 were discovered among SectorA groups this September.
SectorA01 group hacking activity was found in China, Slovakia, Israel, Germany and the United Kingdom. They used shortcut file (LNK) disguised as promotional announcements, project planning documents, and employee bonus pay documents to attack. Also, an MS Word file with the theme of job postings, such as those used in hacking activities by attackers over the past few months, was found. The file is disguised as a job posting document for a US defense and aerospace company.
SectorA05 group hacking activity was found in China and South Korea. They carried out hacking activities using executable malwares disguised as documents, and they used themes about the characteristics of North Korean workers and the rules of paper submission.
The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.
2. SectorB Activity Features
A total of three hacking groups, SectorB08, SectB14 and SectorB22 groups were discovered among SectorB groups this September.
SectorB08 group hacking activity was found in Taiwan and France. They used MS PowerPoint malware, which was written with content related to Tibetans. Given the C2 domain name used in this hacking activity and the subject of legitimated documents, they are believed to have targeted people related to Tibetan government in exile.
SectorB14 group hacking activity was found in China, Hong Kong, Russia and Brazil. They sent a spear phishing email containing RTF (Rich Text Format) malware to the Russian Public Procurement Service (PPS).
SectorB22 group hacking activity was found in Philippines, Italy, China, Belgium, the United States and Czechia. They performed an attack using an executable malware disguised as a document, and when executed, a legitimated document using the actual article body content is displayed on the screen.
The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.
3. SectorC Activity Features
A total of one hacking groups, SectorC08 was discovered among SectorC groups this September.
SectorC08 group hacking activity was found in Ukraine, the United States, India, Japan, Hong Kong, China, Egypt, Canada, Czechia, France, Belgium and Romania. They used shortcut files written on various topics, MS Word files (including vulnerabilities), and self-extracting archive (SFX) malware to perform hacking activities. For the shortcut file format, it was written using a variety of topics, such as income regulations for the NRI(Non Resident Indian), petition documents for the Crimean Autonomous Republic, military training, Ukrainian social issues, and most of the legitimated documents were written in Ukrainian or English.
The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located around the country supporting SectorC.
4. SectorD Activity Features
A total of two hacking groups, SectorD01 and SectorD05 were discovered among SectorD groups this September.
SectorD01 group mainly attacked telecommunications operators located in the Middle East, and information on a number of domains registered by them was confirmed in this activity. It was created similar to the domain of an actual job posting site.
SectorD05 group hacking activity was found in Israel and the United States. They used WhatsApp and LinkedIn platforms to approach the attack target and formed a trust relationship with them on through conversations related to Webinar participation. Afterwards, the victim was induced to click the malicious link and enter credentials, email, and contact information. They carried out attacks mainly on research centers, universities and Think Tanks sectors.
SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.
5. SectorE Activity Features
A total of four hacking groups, SectorE01, SectorE02, SectorE04 and SectorE05 were discovered among SectorE groups this September.
SectorE01 group hacking activity was found in Bulgaria, China, Japan, India, Germany and France. They used MS Word malware (including vulnerabilities), which was written on topics related to conflicts between Saudi Arabia and Pakistan and conflicts between China and India.
SectorE02 group continuously produced and distributed Android malware using the package name related to Tencent.
SectorE04 group hacking activity was found in Germany, the United Kingdom, Pakistan, Italy, South Africa, Russia and Afghanistan. They used RTF files and MS Word files that contained the same vulnerabilities found last month.
SectorE05 group hacking activity was found in Pakistan, China, Hong Kong, Netherlands, Philippines, Denmark and South Korea. They distributed executable malware disguised as Windows update files through the website of a specific company located in Pakistan.
Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic, and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.
6. SectorH Activity Features
A total of one hacking groups, SectorH03 was discovered among SectorH groups this September.
SectorH03 group hacking activity was found in the United Kingdom, France and India. In this hacking activity, a compressed file (including many executable files) disguised as a document file was found, and when executed, it shows legitimated document to avoid user suspicion.
The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with India continues increase, activities to gather high-level military and political information from them will also continue.
7. Cyber Crime Activity Features
A total of two hacking groups, SectorJ04 and SectorJ20 were discovered among SectorJ groups this September.
The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.
SectorJ04 group hacking activity was found in Switzerland, the United Kingdom, Germany, Ireland, the United States, Netherlands, Finland, France, Canada, Spain, India, Singapore, China, Italy, South Korea, the United Arab Emirates, Israel, Saudi Arabia, Argentina, Austria, Poland, Russia, Japan, Belgium, Romania, Colombia, Brazil, Philippines, Hong Kong, Ukraine, Guatemala and Estonia. They maintained an initial infection method that included MS Office malware in spam mail. The malware, which is finally installed in the infected system, is a downloader-type malware developed by SectorJ04 group that distributes additional malwares such as Remote Administration Tool (RAT), Ransomware, and Online Banking Trojan within the system.
SectorJ20 group hacking activity was found in the United Kingdom, Singapore, Canada, the United Arab Emirates, Malaysia, Cyprus, France, Lithuania, Georgia and the United States. They used shortcut files with filenames such as Tax savings.
The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.firstname.lastname@example.org.