top of page

Russian APT (Advanced Persistent Threat) groups, Sandworm in particular, continue their attacks

ESET has published its latest APT activity report, which covers the period from September to December 2022 (the third quarter of 2022).

Russian-aligned APT groups have been particularly involved in operations targeting Ukraine, deploying destructive wipers such as NikoWiper. Sandworm launched its wipers concurrently with missile strikes by Russia's armed forces targeting energy infrastructure. Although ESET is unable to demonstrate a connection between these events, the company implies that Sandworm and Russian military forces have related objectives.


  • Russian APT groups attacked Ukraine using ransomware (Prestige, RansomBoggs).

  • In addition to Sandworm, other Russian groups APT – Callisto and Gamaredon in particular – continued their targeted phishing campaign against this Eastern European country.

  • Pro-China groups, Goblin Panda in particular, have begun to replicate Mustang Panda interests in European countries.

  • Iran-aligned groups continued to operate on a large scale.


ESET Research today publishes its latest Advanced Persistent Threat (APT) Activity Report, which summarizes findings regarding very specific groups of APTs that have been monitored, investigated and challenged. analysis by ESET researchers between September and end of December (Q3) 2022. During this period, Russian-aligned APT groups took part in operations targeting Ukraine, deploying destructive wipers and ransomware. Goblin Panda, a group aligned with China's positions, has begun to replicate Mustang Panda's interests in European countries. Iran-aligned groups have also continued to operate on a large scale.


In Ukraine, ESET discovered that the notorious group Sandworm had used a previously unknown wiper against an energy company. APT groups are usually led by nation-state actors or state-sponsored; the attack in question took place in October, when the Russian armed forces fired missiles against energy infrastructure. Although ESET is unable to demonstrate that these events are coordinated, the company implies that Sandworm and Russian military forces have related objectives.


The most recent wiper in a series of previously discovered wipers has been dubbed NikoWiper by ESET. This wiper was used against an energy company in Ukraine in October 2022. NikoWiper is based on SDelete, a Microsoft command-line utility used to securely delete files.


In addition to malware that deletes data, ESET discovered that Sandworm used ransomware as a wiper in its attacks, the end goal of which, despite using this ransomware, was the same only when wipers were used, i.e. data destruction. Unlike typical ransomware attacks, Sandworm operators do not intend to provide a decryption key.


In October 2022, ESET detected the use of Prestige ransomware against logistics companies in Ukraine and Poland. And in November 2022, ESET detected new ransomware in Ukraine developed in .NET, which we called RansomBoggs. ESET Research made this campaign public on its Twitter account. In addition to Sandworm, other Russian APT groups such as Callisto and Gamaredon continued their targeted phishing campaign against Ukraine to steal access data and plant malware.


ESET researchers also uncovered a targeted phishing campaign by MirrorFace targeting political entities in Japan and found that some China-aligned groups had gradually changed the type of target targeted, with for example Goblin Panda which began to serve the interests of Mustang Panda in European countries. Last November, ESET discovered a new backdoor developed by Goblin Panda, which we have dubbed TurboSlate, within a government organization in the European Union. The Mustang Panda Group also continued to target European organizations; last September we identified a Korplug charger that Mustang Panda used against a Swiss organization in the energy and engineering sector.


Pro-Iran groups also continued their attacks; in addition to Israeli companies, POLONIUM has begun targeting foreign affiliates of Israeli companies, and MuddyWater is likely responsible for endangering a managed security service provider.


Groups aligned with North Korea's positions have used ancient computer exploits to compromise the security of cryptocurrency exchanges and businesses in various parts of the world. Interestingly, the Konni Group has expanded the range of languages available in its decoy documents to include English, which could mean a change from its usual targets Russia and South Korea.


For more technical information, you can read the full "ESET APT activity report" on WeLiveSecurity. Be sure to follow ESET Research on Twitter for the latest news from ESET Research.


ESET's APT activity reports contain only a small fraction of the Cyber Threat intelligence data available to customers through ESET's private APT reports. ESET produces detailed technical reports and regular updates on the activities of selected APT groups in the form of PREMIUM reports to help organizations responsible for protecting citizens, critical national infrastructure and high-value assets to fight against criminal and state/nation directed cyberattacks. For more information on PREMIUM APT reports, which contain valuable strategic, actionable and tactical information on cyber threats, please visit this link: ESET Threat Data.

4 views0 comments

Commenti


bottom of page