2023 Activities Summary of SectorC groups (ENG)

Activity of SectorC Group

In 2023, hacking activities by a total of 12 SectorC subgroups were identified. The groups carry the aim of collecting advanced information such as political and diplomatic activities of governments of countries bordering the government that supports the groups, as well as around the world.

An analysis of hacking activities by SectorC groups in 2023 showed that there was a total of 12 active subgroups in the year, with activities by SectorC08 group being the most prominent out of all the subgroups.

[Figure 1: Statistics of Activities of SectorC Groups identified in 2023]

SectorC hacking groups identified in 2023 carried out the highest number of attacks on workers and systems in government agencies, followed by defense and information technology sectors.

[Figure 2: Statistics of industries Targeted in 2023]

The following map illustrated the countries targeted by SectorC groups in 2023, with darker shades of red indicating higher frequencies of attacks.

From the figure, it could be deduced that the group carried out the greatest number of hacking activities on Ukraine and the United States.

In the case of Ukraine, the country has been set as the main target of the groups following the invasion of the country by the supporting entity of the groups. The groups are believed to be carrying out extensive hacking activities with the aim of disabling key systems of Ukraine or stealing critical information such as military technology information.

[Figure 3: Countries Targeted by SectorC Group in 2023]

INITIAL ACCESS ROUTE of SectorC Group

Among the initial access routes used by SectorC groups, distributing spear phishing with malicious attachment was found to be the primary access route used in 2023.

Spear phishing attacks are social engineering attacks targeting specific individuals or organizations. Through malicious links, attackers induce targets to input their credentials or execute malware.

The groups disguise themselves as trusted contacts or credible individuals to induce the target to execute malicious links or attachments, making spear phishing the most commonly utilized method with its high likelihood of successful initial access.

[Figure 4: Statistics of Initial Access Routes used by SectorC Group]

Vulnerabilities Exploited by SectorC Group

Among the top 5 vulnerabilities exploited by SectorC groups, CVE-2023-23397(Microsoft Office Outlook Privilege Escalation Vulnerability) was the most prominently exploited in 2023. This group has been confirmed to exploit the CVE-2023-23397 vulnerability to steal Microsoft Outlook credentials. 

[Figure 5: Statistics of Top 5 Vulnerabilities Exploited by SectorC Group in 2023]

Vulnerability

Classification

Target System

CVE-2023-23397

Privilege Escalation Vulnerability

Microsoft Office Outlook

CVE-2023-38831

Code Execution Vulnerability

RARLAB WinRAR

CVE-2017-11882

Memory Corruption Vulnerability

Microsoft Office

CVE-2020-35730

Cross-Site Scripting (XSS) Vulnerability

Roundcube Webmail

CVE-2021-44026

SQL Injection Vulnerability

Roundcube Webmail

[Figure 1: Top 5 Vulnerabilities Exploited by SectorC Group in]

SectorC Attack Target Systems Statistics

Software vulnerabilities are typically categorized into server and client types. Hacking groups, strategically positioned at the heart of networks, exploit vulnerabilities within server systems to facilitate further attacks on internal networks.

Among the top 5 attack target systems by SectorC groups, the greatest number of attacks were carried out on the Microsoft Office, they used spear phishing to induce the target to click on the attached file, and it was confirmed that they exploited client software vulnerabilities to distribute malware or steal data.

[Figure 6: Statistics of Top 5 Attack Target Systems by SectorC Group in 2023]

Open Source and Freeware Tools Utilized by SectorC Group

Among the top 5 open source and freeware tools utilized by SectorC groups, the penetration testing tool “Telegram” was identified as the most frequently used tool in 2023.

It is analyzed that Telegram was most utilized to send stolen data through Telegram channels, or to control targeted systems through the Telegram API for malicious purposes.

[Figure 7: Statistics of Top 5 Open Source and Freeware Tool used by SectorC Group in 2023]

Tool Name

Function

Telegram

Messenger Program

DropBox

Cloud Storage

UltraVNC

Remote Control Tools

OneDrive

Cloud Storage

Notion

Project management software

[Table 2: Top 5 Open Source and Freeware Tool used by SectorC Group in 2023]

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.