Monthly Threat Actor Group Intelligence Report, October 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from September 17, 2020 to October 20, 2020.

1. SectorA Activity Features

A total of two hacking groups, SectorA01 and SectorA05 were discovered among SectorA groups this October.

SectorA01 group hacking activity was found in South Korea. In this activity, an HWP file disguised as an article written by a specific association was found. When the file is executed, a notification window is created to select a list of compatible programs, and the PDF file is displayed on the screen to avoid user suspicion.

SectorA05 group hacking activity was also found in South Korea. They used MS Word malware containing macro scripts. The file name of the malware is related to the academic conference, and it is believed that it was written for the person who concerned the conference.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being. 

2. SectorB Activity Features

A total of five hacking groups, SectorB01, SectorB14, SectorB23, SectorB30 and SectorB32 groups were discovered among SectorB groups this October.

SectorB01 group hacking activity was found in China, the United States and Hong Kong. In this activity, ELF malware targeting Linux systems was found.

SectorB14 group hacking activity was found in the United States. They used RTF (Rich Text Format) malware that included vulnerabilities. 

SectorB23 group hacking activity was found in China, Hong Kong, Taiwan, Netherlands and the United States. They used a website disguised as an Adobe Flash Player download page to distribute malware.

SectorB30 group hacking activity was found in Taiwan. They mainly attacked Taiwan’s government departments, and distributed malware by using the DLL Hijacking vulnerability of certain DLP (Data Loss Prevention) software.

SectorB32 group hacking activity was found in Russia, Taiwan, China and Spain. They carried out attacks on Russian energy fuel companies and attached malicious documents disguised as phone book to their spear phishing emails.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of two hacking groups, SectorC01 and SectorC08 were discovered among SectorC groups this October.

SectorC01 group hacking activity was found in Spain and Armenia. They carried out the attack using an executable file disguised as a document, which was identified as a variant of the malware frequently used by the SectorC01 group.

SectorC08 group hacking activity was found in Ukraine, Russia, France and Germany. They used shortcut (LNK) files written on various topics and MS Word malware (including vulnerabilities) to perform hacking activities.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located around the country supporting SectorC.

4. SectorD Activity Features

A total of three hacking groups, SectorD01, SectorD10 and SectorD17 were discovered among SectorD groups this October. 

SectorD01 group hacking activity was found in China, Bulgaria, Hungary, the United States, Germany, Switzerland, Kuwait, Saudi Arabia, the United Arab Emirates, Canada, India and Finland. In this activity, a number of PowerShell-based Web shells used by them were found, and this was confirmed to be a type that has been steadily discovered since at least April 2019.

A number of domains identified as being created by the SectorD10 group were found. Most of these were created similar to the domains of real universities, so it is believed that the attacker targeted university employees or researchers.

SectorD17 group hacking activity was found in the United States, Ukraine, Italy, Albania, Russia, China, the United Kingdom, India and Germany. They mainly attacked Iranian expatriates and dissidents, and used MS Word malware that utilizes a remote Template Injection method.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of two hacking groups, SectorE03 and SectorE04 were discovered among SectorE groups this October. SectorE03 group hacking activity was found in China, India, Pakistan, Germany, Australia, Poland, Nigeria, Nepal, Hungary, the United Kingdom, Canada, Hong Kong, the United States, Italy and Spain. In this activity, they used multiple methods, including spear phishing e-mails, malicious documents, phishing sites and Android malwares, to hack into the Chinese government and various industries. Malicious documents found in hacking activities were various, such as RTF, MS Word, and MS Excel, each using attack methods such as Template Injection, macro script, and vulnerability. SectorE04 group hacking activity was found in China, Hong Kong, India, Pakistan, Canada and Germany. They used an RTF file that contained the same vulnerability as the malicious document discovered in September. Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic, and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorF Activity Features

A total of one hacking groups, SectorF01 was discovered among SectorF groups this October.

SectorF01 group hacking activity was found in Italy, China, Netherlands, Canada, India, the United States and Morocco. They used a spear phishing email with a compressed file attached, and within the compressed file, there is an executable malware disguised as legitimated document using a PDF icons. In addition, it mainly attacks certain financial companies located in China, and writes the content that the target of the attack might be interested in as a filename.

The purpose of the hacking activities of the SectorF01 hacking group, which continues to date, is to collect high-level information related to government activities, such as political, diplomatic and military activities of countries close to Vietnam. Also, it is analyzed that hacking activities are carried out for the purpose of hijacking advanced technology information related to advanced technology for the domestic economic development.

7. SectorH Activity Features

A total of one hacking groups, SectorH03 was discovered among SectorH groups this October.

SectorH03 group hacking activity was found in India, the United States, Pakistan, China, Singapore, Ukraine, Canada and Hong Kong. They used a compressed file containing an executable file disguised as a document file, the same as last September, and executes legitimated document to avoid user suspicion when executed.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with India continues increase, activities to gather high-level military and political information from them will also continue.

8. SectorP Activity Features

A total of one hacking groups, SectorP02 was discovered among SectorP groups this October.

SectorP02 group used Android malware disguised as a specific encryption application, and it was confirmed that some network information found in this activity was used the same in the group activity discovered in April and June.

The hacking activities of the SectorP group include hacking activity for both cybercrime and government support purposes. In particular, as diplomatic, political and religious friction continues with neighboring countries, it is analyzed that activities to steal high-level information related to government, military and political activities of neighboring countries will continue to be carried out in the future, depending on the purpose of hacking activities.

9. Cyber Crime Activity Features

A total of four hacking groups, SectorJ03, SectorJ09, SectorJ14 and SectorJ20 were discovered among SectorJ groups this October.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ03 group hacking activity was found in Palestine, Norway, Malaysia, the United States and Poland. In this activity, they produced Android malware that used a variety of themes. Also, an executable malware disguised as a document has been found, which displays documents disguised as resumes on the screen when executed.

SectorJ09 group maintains the existing hacking method that collects username, address, email, phone number, credit card payment information, etc. from the payment page by inserting obfuscated Skimming script on the website. In this activity, JavaScript malware of the same type as previously found was confirmed.

SectorJ14 group hacking activity was found in Switzerland, Kazakhstan, Singapore and Japan. They produced and distributed Android malware written on various topics the same as last September.

SectorJ20 group hacking activity was found in the United States, Germany, Azerbaijan, China, Russia, Brazil and the United Kingdom. In this activity, MS Word malware containing macro scripts was found, and when executed, it drops and executes RAT (Remote Administration Tool) malware using a Python interpreter and script.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.