Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber-Espionage. Show all posts

North Korean Hackers Target Energy and Aerospace Industries in Novel Espionage Campaign

 

As per recent findings from Mandiant, companies operating in the energy and aerospace sectors are being targeted by a cyber-espionage campaign that has connections with North Korea.

The outfit behind the campaign, dubbed UNC2970, is most likely linked to North Korea and shares similarities with another Pyongyang-backed threat actor, TEMP.Hermit. Researchers at the Google-owned cybersecurity firm discovered UNC2970's latest campaign in June 2024 and published their findings on Tuesday. 

The group was initially identified in 2021, and it has since targeted victims in the United States, United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. 

According to the research, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for well-known companies. They eventually share a malware archive that claims to have a job description in PDF format.

The PDF file can only be read with a trojanized version of SumatraPDF, an actual open-source document viewer that installs a backdoor called Mistpen via the Burnbook launcher. Researchers revealed that the attackers updated the open-source code of an older version of SumatraPDF for this campaign, but that the SumatraPDF service itself was not compromised. UNC2970 uses real job description text to target victims, including those employed in critical infrastructure sectors in the United States. 

The Mistpen virus is a fork of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been upgraded over time with new features, including a network connectivity check, which complicates sample analysis, researchers noted. Although Mandiant does not name the specific victims of this attack, researchers believe the hackers are targeting senior or manager-level employees. 

"This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers stated. "The hackers also tailor their malicious messages to better align with the victim's profile."

A US Cyber Team's Perspective on US Military Cyber Defense of Ukraine

 


Despite analysts' numerous predictions, Russia could not destroy Ukraine's computer systems in this year's invasion with a massive cyber-attack. This may be because an unknown US military branch hunts down rivals online to enforce their interests. To cover these global missions, the BBC was granted exclusive access to the cyber-operators who carried them out. 

The US military landed in Ukraine in December last year on a recon mission led by a young major who led a small team. There were plans to deploy more troops ahead of this deployment. 

On Thursday, the Ukrainian government's premier counterintelligence and law enforcement agency revealed the real identities of five individuals allegedly involved in cyber-espionage activities attributed to the Gamaredon cyber-espionage group. According to the agency, these members are connected to the Russian Federal Security Service (FSB). 

It has been apparent in recent months that Gamaredon is very active in the threat actor community. When you open Twitter and type in #Gamaredon, you'll find several tweets a week with updated information on the IOC and samples it has created. 

Gamaredon Group is another advanced persistent threat (APT) group targeting the Ukrainian government today. It is also known as Shuckworm, Iron Tilden, Primitive Bear, Winter Flounder, and Accinium. 

A common attack tool is phishing emails with attachments of Microsoft Office documents. These emails can be used to gain access to the victim's system through initial attacks using phishing emails. 

In recent months, there have been reports of Russian troops amassing along the Ukrainian border, raising fears of war breaking out. As much as Russia denies any plans to invade, it demands sweeping security guarantees, including a guarantee that NATO will never admit the Ukrainians to NATO. 

The Ukrainian security services, who believed that the act of terrorism had been committed by officers of the Russian Federal Security Service from Crimea, publicly attributed the act of terrorism to Gamaredon in November. An online comment request was sent to the Russian Embassy in Washington regarding Gameredon; however, there was no immediate response from the Russian Embassy. 

A spokesperson for Ukraine's Security Service (SSU) said in a statement today that the hacker group had been depicted as "an FSB special project that specifically targeted Ukraine," at the same time confirming that many of the perpetrators of the hack were "Crimean FSB officers and traitors who defected to the enemy during the occupation of the peninsula in 2014." 

According to the country's authorities, over 1,500 government entities, public entities, and private enterprises have been targeted by actors in the past seven years in Ukraine. This group aims to gather intelligence, disrupt operations, and take control of critical infrastructure facilities to collect critical data. 

Between 2020 and the present, Malwarebytes has identified five operations that have taken place. They were victims of armed clashes between Russian-aligned individuals and Ukrainian citizens who had taken part in the discredited referendums called for by Moscow on September 2022. These referendums were called for in the Ukrainian territories of Luhansk, Donetsk, Zaporizhzhia, and Kherson. In the Dnepropetrovsk, Lugansk, and Crimea regions, there has been a massive outbreak of infections in state, agricultural, and transportation ministries. 

Ukrainian intelligence agencies track Armageddon, a threat group that launched the attacks, as responsible for the attacks. While it is known by the names Gamaredon, Primitive Bear, Winterflounder, BlueAlpha, Blue Otso, Iron Tilden, and Sector C08 in the cybersecurity community, it operates by many other names as well. 

Several campaigns in eastern Ukraine involved Malwarebyte attackers exfiltrating snapshots, USB flash drives, keyboard strokes, and microphone recordings, depending on the campaign. 

On Wednesday, Anne Neuberger, a White House cyber official, said Russia could destabilize and invade Ukraine using cyberattacks. 

In early 2013, it appeared that Russia had sponsored the Gamaredon Group, which is a misspelled anagram of the word "armageddon" and has been sporadically perpetrating cyberattacks on Ukrainian military, government, and non-profit organizations since then. 

Threat actors leverage legitimate Microsoft® Office documents to inject remote templates into legitimate Microsoft® Office documents. The technique works even when Microsoft® Word security features have been turned on. There is a way to bypass Microsoft Word macro protections, which are designed to prevent attackers from compromising sensitive systems with malware, infecting them with the infection, accessing the data, and then spreading the infection to other systems.