2023 Activities Summary of SectorA groups (ENG)

Activity of SectorA Group

Threat Research Lab classifies SectorA groups into 7 subgroups. These groups aim to collect advanced information related to the government activities such as politics and diplomatic activities from the South Korean government, and at the same time, carry out hacking activities worldwide to secure financial resources.

Analysis of activities by SectorA groups in 2023 shows that activities by SectorA05 group was the most prominent, followed by SectorA02 group and SectorA01 group.

[Figure 1: Statistics of activities of SectorA groups identified in 2023]

SectorA hacking groups identified in 2023 carried out the highest number of attacks on workers and systems in financial industries, followed by research and government institutions.

[Figure 2: Statistics of Industries Targeted in 2023]

The following map illustrates the countries targeted by SectorA groups in 2023, with darker shades of red indicating higher frequencies of attacks. This shows that SectorA Group conducted the most hacking activities against South Korea, followed by the United States, India, Japan, and the United Kingdom.

[Figure 3: Countries Targeted by SectorA Groups in 2023]

INITIAL ACCESS ROUTE of SectorA Group

Among the initial access routes used by SectorA groups, distributing spear phishing links was found to be the primary access route used in 2023. Spear phishing attacks are social engineering attacks targeting specific individuals or organizations. Through malicious links, attackers induce targets to input their credentials or execute malware.

The groups disguise themselves as trusted contacts or credible individuals to induce the target to execute malicious links or attachments, making spear phishing the most commonly utilized method with its high likelihood of successful initial access.

[Figure 4: Statistics of Initial Access Routes used by SectorA Groups]

Vulnerabilities Exploited by SectorA Group

Among the top 5 vulnerabilities exploited by SectorA groups, CVE-2023-29059 (Malware vulnerability embedded in 3CX Desktop App) was most prominently exploited in 2023. SectorA group was seen to have exploited the CVE-2023-29059 vulnerability to distribute and execute malware on the targeted system.

[Figure 5: Statistics of Top 5 Vulnerabilities Exploited by SectorA Group in 2023]

Vulnerability

Classification

Target System

CVE-2023-29059

Embedded Malicious Code

3CX DesktopApp

CVE-2021-21551

Insufficient Access Control Vulnerability

Dell dbutil Driver

CVE-2021-44228

Remote Code Execution Vulnerability

Apache Log4j2

CVE-2013-3900

Remote Code Execution

Microsoft WinVerifyTrust function

CVE-2017-0199

Remote Code Execution Vulnerability

Microsoft Office and WordPad

[Table 1: Top 5 Vulnerabilities Exploited by SectorA Group in 2023]

SectorA Attack Target Systems Statistics

Software vulnerabilities are typically categorized into server and client types. Hacking groups, strategically positioned at the heart of networks, exploit vulnerabilities within server systems to facilitate further attacks on internal networks.

Among the top 5 attack target systems by SectorA groups, the greatest number of attacks were carried out on 3CX Desktop App, video conference software.

[Figure 6: Statistics of Top 5 Attack Target Systems by SectorA Group in 2023]

Open Source and Freeware Tools Utilized by SectorA Group

Among the top 5 open source and freeware tools utilized by SectorA groups, the Microsoft cloud storage service “OneDrive” was identified as the most frequently used tool in 2023.

SectorA group exploited OneDrive as a C2 server to download and execute additional malware on the targeted system. Cloud storage services often used in business purposes, such as OneDrive, can avoid detection by security solutions as they are passed as regular traffic. It is analyzed that SectorA group utilized OneDrive as the C2 server due to this characteristic.

[Figure 7: Statistics of Top 5 Open Source and Freeware Tool used by SectorA Group in 2023]

Tool Name

Function

OneDrive

Cloud Storage

PCloud

Cloud Storage

Google Drive

Cloud Storage

GitHub

Software management platform

Mimikatz

Windows Credential Information Collection Tool

[Table 2: Top 5 Open Source and Freeware Tool used by SectorA Group in 2023]

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.