State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus group has used infrastructure associated with a ransomware group for intelligence gathering campaigns. Chinese APTs that were traditionally targeting entities in Asia have shifted their focus to European companies, and Iran-based groups that usually targeted Israeli companies have started going after their foreign subsidiaries. North Korean group Konni has even started using English in its operations. All these changes suggest that organizations and companies from Western countries are at increased risk from APT activity.
Sandworm has been launching destructive attacks against Ukrainian organizations for years, and is credited with the attacks against the Ukrainian energy infrastructure that caused blackouts in the country in 2015, as well as the NotPetya ransomware-like attack in 2017. In the last months of 2022, Sandworm continued its data wiping attacks against Ukrainian organizations, but expanded its efforts to organizations from countries that are strong supporters of Ukraine, such as Poland. Sandworm is believed to operate as a unit inside Russia's military intelligence agency, the GRU.
Sandworm has been using data wiping malware such as CaddyWiper and HermeticWiper, as well as a new malware program called Industroyer2. In October, the group used a ransomware program called Prestige against Ukrainian and Polish logistics companies, and a month later, they used another ransomware program called RansomBoggs against Ukrainian organizations. In these attacks, ransomware was used but the final objective was the same as for the wipers: data destruction.
Aside from data wiping malware, Sandworm seems to continue its tactics of repurposing ransomware. Security firm WithSecure recently investigated an attack campaign that was initially suspected to be caused by the BianLian ransomware group, but was actually an intelligence gathering operation by North Korea's Lazarus group. The group targeted public and private research organizations from the medical research and energy sectors, as well as their supply chain.
North Korea has multiple APT groups that sometimes share tooling, but which are believed to be controlled by different government agencies or departments. Lazarus, APT38, and Andariel are groups attributed to the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency. Another group called Kimsuky is attributed to the 5th Bureau - Inter-Korean Affairs and deals with operations targeting mainly South Korea. Another group, tracked as APT37 that also targets mainly South Korea, is attributed to the North Korean Ministry of State Security.
Just last week, the ESET team discovered yet another wiper program that they attributed to Sandworm and dubbed SwiftSlicer. This wiper is written in Go and is deployed on networks through Active Directory Group Policy. North Korean state-sponsored actors have also been using the Maui ransomware to target the healthcare and public health sectors. North Korean hacking arms have also been engaging in activity that is more akin to cybercrime than cyberespionage, such as using old exploits to compromise cryptocurrency firms and exchanges.
This Cyber News was published on www.csoonline.com. Publication date: Thu, 02 Feb 2023 09:02:03 +0000