State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage

State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus group has used infrastructure associated with a ransomware group for intelligence gathering campaigns. Chinese APTs that were traditionally targeting entities in Asia have shifted their focus to European companies, and Iran-based groups that usually targeted Israeli companies have started going after their foreign subsidiaries. North Korean group Konni has even started using English in its operations. All these changes suggest that organizations and companies from Western countries are at increased risk from APT activity. Sandworm has been launching destructive attacks against Ukrainian organizations for years, and is credited with the attacks against the Ukrainian energy infrastructure that caused blackouts in the country in 2015, as well as the NotPetya ransomware-like attack in 2017. In the last months of 2022, Sandworm continued its data wiping attacks against Ukrainian organizations, but expanded its efforts to organizations from countries that are strong supporters of Ukraine, such as Poland. Sandworm is believed to operate as a unit inside Russia's military intelligence agency, the GRU. Sandworm has been using data wiping malware such as CaddyWiper and HermeticWiper, as well as a new malware program called Industroyer2. In October, the group used a ransomware program called Prestige against Ukrainian and Polish logistics companies, and a month later, they used another ransomware program called RansomBoggs against Ukrainian organizations. In these attacks, ransomware was used but the final objective was the same as for the wipers: data destruction. Aside from data wiping malware, Sandworm seems to continue its tactics of repurposing ransomware. Security firm WithSecure recently investigated an attack campaign that was initially suspected to be caused by the BianLian ransomware group, but was actually an intelligence gathering operation by North Korea's Lazarus group. The group targeted public and private research organizations from the medical research and energy sectors, as well as their supply chain. North Korea has multiple APT groups that sometimes share tooling, but which are believed to be controlled by different government agencies or departments. Lazarus, APT38, and Andariel are groups attributed to the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency. Another group called Kimsuky is attributed to the 5th Bureau - Inter-Korean Affairs and deals with operations targeting mainly South Korea. Another group, tracked as APT37 that also targets mainly South Korea, is attributed to the North Korean Ministry of State Security. Just last week, the ESET team discovered yet another wiper program that they attributed to Sandworm and dubbed SwiftSlicer. This wiper is written in Go and is deployed on networks through Active Directory Group Policy. North Korean state-sponsored actors have also been using the Maui ransomware to target the healthcare and public health sectors. North Korean hacking arms have also been engaging in activity that is more akin to cybercrime than cyberespionage, such as using old exploits to compromise cryptocurrency firms and exchanges.

This Cyber News was published on www.csoonline.com. Publication date: Thu, 02 Feb 2023 09:02:03 +0000


Cyber News related to State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage

State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage - State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus ...
1 year ago Csoonline.com
6 Ransomware Trends & Evolutions For 2023 - More than any other industry, cybersecurity is constantly changing. The number of major paradigm shifts that have transformed the world of cybersecurity in the past few years has been unprecedented, especially when it comes to combating ransomware. ...
1 year ago Trendmicro.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
1 year ago Techtarget.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
11 months ago Unit42.paloaltonetworks.com
Signature Techniques of Asian APT Groups Revealed - The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures employed by Asian Advanced Persistent Threat groups. The 370-page report, Modern Asian APT groups: Tactics, Techniques and ...
1 year ago Infosecurity-magazine.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
11 months ago Securityboulevard.com
Cyber Insights 2023: Criminal Gangs - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. Despite some geopolitical overlaps with state attackers, the majority of ...
1 year ago Securityweek.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
10 months ago Securityboulevard.com
Ransomware in 2024: Anticipated impact, targets, and landscape shift - As ransomware continues to be on the rise, we can expect groups to continue to evolve their attacks and operate at a larger scale for bigger profits. Here is what we can expect the ransomware landscape to look like in 2024. In 2024, we'll see more ...
1 year ago Helpnetsecurity.com
Top 10 Notorious Ransomware Gangs of 2023 - By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace. Here below, we have mentioned all the types of ransomware used by the threat actors ...
11 months ago Cybersecuritynews.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com
Navigating Ransomware: Securin's Insights and Analysis from 2023 - As ransomware attackers continue to evolve and adapt their techniques, organizations must refine and adapt their security strategies to stay ahead of these threats. Human-augmented, actionable threat intelligence plays a critical role in every ...
9 months ago Cybersecurity-insiders.com
Cisco Talos Report: New Trends in Ransomware, Network Infrastructure Attacks, Commodity Loader Malware - The Cisco Talos Year in Review report released Tuesday highlights new trends in the cybersecurity threat landscape. We'll focus on three topics covered: the ransomware cybercriminal ecosystem, network infrastructure attacks and commodity loader ...
1 year ago Techrepublic.com
ESET APT Activity Report T3 2022 - ESET APT Activity Report T3 2022 summarizes the activities of selected advanced persistent threat groups that were observed, investigated, and analyzed by ESET researchers from September until the end of December 2022. In the monitored timespan, ...
1 year ago Welivesecurity.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
10 months ago Malwarebytes.com
Ransomware Groups Gain Clout With False Attack Claims - The cybersecurity community is getting duped by fake breach claims from ransomware groups, experts say - and ransomware misinformation is a threat they predict will only grow in the coming months. The cybersecurity community should know that ...
10 months ago Darkreading.com
The Evolution of Ransomware 4 Types of Cyber Threats in 2023 - Security professionals and CISOs have been protecting their organizations from ransomware for a long time, adapting to changes in technology to protect against the risks of stolen data or disruptions to important systems. Cybercriminals are always ...
1 year ago Trendmicro.com
How ransomware gangs are engaging - As ransomware gangs continue to market themselves as legitimate businesses complete with customer service representatives, new research from Sophos showed that threat actors are expanding public relations efforts to further pressure victims into ...
1 year ago Techtarget.com
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
10 months ago Bleepingcomputer.com
OpenAI blocks state-sponsored hackers from using ChatGPT - OpenAI has removed accounts used by state-sponsored threat groups from Iran, North Korea, China, and Russia, that were abusing its artificial intelligence chatbot, ChatGPT. The AI research organization took action against specific accounts associated ...
10 months ago Bleepingcomputer.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
11 months ago Feeds.fortinet.com
Dozens of countries will pledge to stop paying ransomware gangs - An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups. Addressing reporters on Monday, Anne Neuberger, ...
1 year ago Bleepingcomputer.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
9 months ago Feeds.fortinet.com
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs - Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang. The 3AM ransomware gang's activity was first ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)