Monthly Threat Actor Group Intelligence Report, June 2022 (ENG)

This report is a summary of Threat Actor group activities analyzed by NSHC ThreatRecon team based on data and information collected from 21 May 2022 to 20 June 2022. In June, activities by a total of 34 Threat Actor Groups were identified, in which activities by SectorE and SectorJ groups were the most prominent by 27% each, followed by SectorC, and SectorA groups.


Threat Actors identified in June carried out the highest number of attacks on workers and systems in government agencies and info-communication industries. Regionally, Europe and East Asia were seen as the continents with the highest number of hacking activities targeted on.

1. Characteristics of SectorA Group Activities

In June 2022, activities by a total of 3 hacking groups were identified, and the groups were SectorA02, SectorA05, SectorA06 groups

SectorA02 group was found to be active in South Korea. The group sent out spear phishing emails targeted on workers in the field of North Korea related policies in their attacks.

The group disguised themselves as a writer of a broadcasting station to send out emails about holding a talk, and a HWP document format malware was attached to the email.

SectorA05 group was found to be active in South Korea, the Philippines, India, Hong Kong, and China. The group sent out spear phishing emails targeted on workers of broadcast stations.

SectorA06 group was found to be active in Canada and Cambodia. The group used Windows LNK format malwares disguised as subjects related to democracy.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. Characteristics of SectorB Group Activities

In June 2022, activities by a total of 7 hacking groups were identified, and the groups were SectorB07, SectorB25, SectorB31, SectorB34, SectorB38, SectorB42, and SectorB56 groups

SectorB07 group was found to be active in Luxembourg, Pakistan, Japan, and Australia. The group delivered document vulnerability exploiting malwares to the target to access the altered web server, and distributed malicious scripts encoded in BASE64 together to steal system controls.

SectorB25 group was found to be active in the United States and Russia. The group used RTF(Rich Text Format) malwares in Russian language in their attacks.

SectorB31 group was found to be active in Russia. The group used Word documents with VBA macro scripts included in their attacks. The Word malware was disguised as a specific reference and session document written in Russian and led the targets to click on the macro activation button.

SectorB34 group was found to be active in the Philippines, India, Nepal, Russia and Belarus. The group exploited MS document vulnerabilities that allows arbitrary commands to be executed.

SectorB38 group was found to be active in Thailand and China. The group disseminated spear phishing emails to numerous government institution workers in this activity. The email was attached with a compressed file containing Word malware and the password to the compressed file.

SectorB42 group was found to be active in Cambodia, Russia, Vietnam, and the United States. The group used a specific malware to target on worldwide government institutions and companies in various industries such as finance and communication.

SectorB56 group exploited a remote code execution vulnerability of a firewall tool to carry out delicate attacks.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. Characteristics of SectorC Group Activities

In June 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorC02, SectorC04, SectorC05, and SectorC08 groups

SectorC02 group was found to be active in Luxembourg. The group used URLs disguised as webpages related to NATO and EU, and a MS Word malware disguised as a document scraping news related to the war was identified.

SectorC04 group was found to be active in the United States and Rumania. The group used Catalan, a language used in some parts of Spain, as the title of the malware, and disguised it as a file related to legislations. In the final stage, a malicious DLL file with a downloader function is executed.

SectorC05 group was found to be active in Singapore, Italy, Canada, and Ukraine. The group targeted Ukrainian media related organizations to use malicious documents that were exploiting vulnerabilities. The malware that is installed in the system at the final stage steals important information from the system or carry out backdoor functions such as downloading additional malware.

SectorC08 group was found to be active in Ukraine, Netherlands, China, Russia, Poland, and Finland. The group used malwares disguised as Ukrainian prosecution and administration documents and MS Word format malwares disguised as Russian Ministry of Defense, and in the final stage attempted to control systems remotely by using open-source remote control tools.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. Characteristics of SectorD Group Activities

In June 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorD05, SectorD10, SectorD14 and SectorD22 groups

SectorD05 group was found to be active in Israel. The group sent out spear phishing emails targeted on Israel’s government workers and military men to steal email accounts.

SectorD10 group was found to be active in the United States. The group used phishing websites disguised as university library and portal webpages with the purpose of collecting information of the targets.

SectorD14 group was found to be active in the United States and the Arab Emirates. The group used PDF malwares disguised as news articles written by an online news agency.

SectorD22 group was found to be active in the United States and India. The group disguised themselves as a hiring manager to send out spear phishing emails, and at the final stage, used malwares with the function of stealing financial and credential information of the internal system.

SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.

5. Characteristics of SectorE Group Activities

In June 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorE01, SectorE02, SectorE04, and SectorE05 groups

SectorE01 group was found to be active in England, Pakistan, China, Canada, and Qatar. The group used MS Excel documents incorporated with VBA macro scripts, which were disguised under contents related to government institutions.

SectorE02 group was found to be active in Pakistan, Indonesia, and Qatar. The group used various document format malwares such as MS Word and RTF files in this activity.

SectorE04 group was found to be active in China, Pakistan, England, Germany, India, and the United States. The group distributed various document format malware such as MS Word and RTF files, which were disguised under subjects such as national security treaty and news.

SectorE05 group was found to be active in China, Pakistan, the United States and Turkey. The group used CHM (Compiled HTML Help) files disguised as training documents for workers.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

6. Characteristics of SectorF Group Activities

In June 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorF01 groups

SectorF01 group used malwares disguised as a specific browser application to target users of the Android OS.

Hacking activities of SectorF carry the aim of collecting advanced information on governmental activities of countries neighboring supported government, such as political, diplomatic, and military activities, and to steal information related to cutting-edge technology for economic development of their country.

7. Characteristics of SectorH Group Activities

In June 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorH03 groups

SectorH03 group was found to be active in India. The group distributed PowerPoint documents under the subject of defense industry exports reviewing, and installed RAT (Remote Administration Tool) malwares in the target’s system. The installed malware carried out malicious activities such as stealing system information, keylogging data, and screen capturing in the victim’s system.

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

8. Characteristics of cybercrime group activities

In June 2022, activities by a total of 10 hacking groups were identified, and the groups were SectorJ03, Sector06, SectorJ09, SectorJ20, SectorJ25, SectorJ38, SectorJ44, SectorJ48, SectorJ53, SectorJ56 groups

Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.

SectorJ03 group was found to be active in Palestine. The group used MS Word format malwares with malicious macro, which were disguised as a file related to Palestine to lead the target to execute it.

SectorJ06 group was found to be active in China, Israel, Singapore, France, and the United States. The group used vulnerable MS Exchange server as their target or used stolen credentials to penetrate internal systems and utilized various open-source tools.

SectorJ09 group continued using their hacking technique of inserting obfuscated skimming scripts in websites to collect username, address, email, phone numbers and credit card payment details at the payment page. In this activity, JavaScript malwares with a format like those that have been found in the past were identified.

SectorJ20 group was found to be active in Russia, Finland, Belarus, Romania, Japan, Estonia, France, Italy, Hong Kong, Nigeria, Bangladesh, Indonesia, Albania, Belgium, Armenia, Israel, Britain, India, Malta, Colombia, Canada, Ukraine, the United States, the Netherlands, Switzerland, the Philippines, Cyprus, Poland, Spain, and Germany. The group used images utilizing steganography techniques, and executed the backdoor malware hidden in the image through loader malwares.

SectorJ25 group was found to be active in China, Hong Kong, the United States, Taiwan, England, Russia, and South Korea. The group targeted servers with 2375 port open that allows remote access from docker engines to install crypto mining software in the system and carry out crypto jacking attacks.

SectorJ38 group was found to be active in Germany, Ukraine, the United States, and China. The group exploited vulnerabilities to carry out ransomware attacks on targets who have not downloaded the patch yet.

SectorJ44 group was found to be active in Peru. The group used a new ransomware that shared a similar code with their previous ransomware REvil, and the new ransomware also used RC4 algorithm to encrypt network resources and ransomware string.

SectorJ48 group was found to be active in the United States, Austria, Ireland, France, England, Russia, and Ukraine. The group disguised their compressed files as a Ukrainian National Tax service fine related file, and used Cobalt Strike, a PenTesting tool in the final stage.

SectorJ53 group was found to be active in China, New Zealand, Italy, Poland, Spain, Turkey, Sweden, Estonia, Ireland, India, Russia, the United States, Canada, France, Hong Kong, Slovenia, Britain, Thailand, Norway, Germany, Taiwan, Singapore, Japan, Kazakhstan, Egypt, Maldives, and South Korea. The group sent out spear phishing email related to invoices and distributed a downloader malware that allows downloading and execution of PenTesting tools such as Sliver and Cobalt Strike.

SectorJ56 group was found to be active in Japan, Singapore, Ireland, Romania, France, Italy, Britain, Malaysia, Argentina, India, Canada, Serbia, Poland, Estonia, Germany, Sweden, the United States, and Israel. The group used thread hijacked emails to impersonate acquaintances of the targets and lead them to execute the malware, and the executed malware has the function to steal financial and credential information from the internal system.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net