Cyberwarfare on the Internet. The ESET Report

illustration: bing.com/create

Threats from the Middle East: Iran Strikes After Hamas Attack

In October 2023, following Hamas`s attack on Israel, the activity of Iranian cyber threat groups surged dramatically. As ESET specialists note, there has been a shift in the strategy of these groups - from cyber espionage and ransomware to more destructive actions, such as access brokering and wiper attacks aimed at destroying data. MuddyWater and Agrius, two of the most well-known groups linked to Iran, conducted a series of attacks targeting various sectors, including communications, government, and finance.

• Agrius`s attack on the Israeli communication sector: In November 2023, Agrius used an advanced BIOS wiper, leading to the paralysis of systems in many Israeli companies. Modified versions of the Red Petya tool, previously used in other sabotage operations, were employed in these attacks.

ESET notes that while these operations have become more aggressive, their effectiveness has decreased. The accelerated pace of activities has led to operational errors, such as the frequent use of the same tools and techniques, increasing the chances of detection.

North Korea: Not Just Spying, but Stealing Millions in Cryptocurrency

In the digital world, one of the most dangerous players remains North Korea. Its groups, such as Lazarus, continuously target the aerospace and defense sectors. However, they are increasingly focusing on operations against cryptocurrency firms. In 2023, according to ESET data, Lazarus and other North Korean groups stole cryptocurrencies worth up to a billion dollars. This is just a drop in the ocean of financial losses inflicted on companies worldwide.

• Lazarus`s Techniques: The North Korean group increasingly employs advanced attack techniques, such as supply-chain attacks, which involve injecting malicious code into official software updates.

Meanwhile, groups like ScarCruft and Konni focus on highly targeted phishing attacks that enable them to gain access to government networks in South Korea and Russia. In one attack, Konni used a trojanized installer to infiltrate the computers of employees at the Russian embassy.

China: Masters of Exploitation

Chinese APT groups are not slowing down and continue to exploit vulnerabilities in publicly available applications. Mustang Panda, one of the best-known Chinese groups, has concentrated its activities on the maritime transport sector, attacking companies in Europe. Their victims include companies from Norway, Greece, and the Netherlands, including vessels.

• DLL Hijacking Technique: Mustang Panda utilized a technique known as DLL hijacking to attack the computer systems of these companies. In this case, files with incorrect digital signatures were used, allowing them to take control of the victims` systems.

However, the biggest challenge facing cybersecurity specialists is the emergence of new Chinese APT groups. CeranaKeeper, a newly identified group, operates similarly to Mustang Panda but has its own unique toolkit. ESET is monitoring the activities of both groups, which seem to be using the same digital tool provider, suggesting potential technical collaboration.

Russian Cyberwarfare Continues: Europe and Ukraine in the Crosshairs

Russia remains one of the most active players on the digital battlefield. In recent months, groups linked to Russia, such as Gamaredon, have focused their efforts on intelligence attacks and sabotage operations targeting Ukraine. Russian groups are responsible for dozens of daily attacks on Ukrainian energy systems.

• Attack on Kyivstar: In December 2023, Sandworm launched an attack on one of Ukraine`s largest telecommunications operators – Kyivstar. This attack, which led to network outages, was publicized on pro-Russian Telegram channels.

Russian groups, such as Sednit, are also continuing intelligence operations in Europe, focusing on EU governmental institutions. In March 2024, Sednit conducted a series of phishing attacks exploiting vulnerabilities in Microsoft Outlook (CVE-2024-21413).

Dominant Techniques: Phishing, Ransomware, and Wipers

The ESET report clearly shows that APT groups continue to favor phishing techniques as a precursor to larger operations. In particular, spear phishing - attacks targeted at selected individuals or organizations - remains a favorite method for initial access.

• Phishing: Russian-linked groups, such as Sednit and Callisto, use spear phishing as the main attack vector. In one recent attack on European institutions, emails contained malicious links and attachments that, when opened, allowed attackers to take control of the victims` systems.

Additionally, in 2024, there has been an increase in attacks using wiper malware - malicious software that destroys data on the attacked systems. These destructive attacks have primarily occurred in the Middle East, where Iranian groups like MuddyWater and Agrius have targeted Israeli companies.

Target Sectors of APT Groups (October 2023 - March 2024):

Region	Sector	State-linked APT Groups
Europe	Government, Defense, Energy	Russia, China
Middle East	Telecommunications, Government	Iran, BladedFeline, POLONIUM
Asia	Aerospace, Cryptocurrency	North Korea (Lazarus)
The Americas	Government, Energy	China, Iran

Summary in Numbers

Iran

• 3 major attacks in Israel using wipers.
• 70% of attacks on the communication and government sector.

North Korea:

• Value of stolen cryptocurrencies in 2023: $600 million – $1 billion.
• 5 major phishing campaigns targeting the defense industry.

Russia:

• 12 daily attacks on Ukrainian energy infrastructure.
• 4 successful espionage operations in EU institutions.

The ESET report shows that the digital world is becoming increasingly dangerous, and cyber threats are evolving at an unprecedented pace. Both governments and companies must confront ever-more advanced adversaries that employ new techniques and tools.

The entire APT Activity Report is available at:
https://dagma.eu/storage/_common/blog/doc/APT_Activity_Report_Q4_2023-Q1_2024.pdf