State-sponsored Hacker Groups Expand Attack Mechanisms and Utilize Commodity Malware for Espionage  

By CYFIRMA Research

State-sponsored hacker groups have been active for the past couple of decades. These well-funded hacker groups work for governments to steal intellectual property, wreak havoc on essential services such as power grids, telecommunications and financial systems, and cause massive disruption to daily life. State-sponsored hackers also target commercial enterprises in their efforts to destabilize the economy and create social unrest. The more prominent state-sponsored hacks include the Sony Pictures cyberattack by North Korea’s Guardian of the Peace hacker group as a retaliation to the screening of ‘The Interview’ where North Korean leader, Kim Jung-Un, was portrayed in a negative light. Other prominent state-sponsored cyberattacks include the recent data breach at Mitsubishi Electric by suspected Chinese hackers, the campaign launched against Indian nuclear power plant to exfiltrate data by North Korean hackers as well as Iranian’s cyber espionage against Saudi Arabian oil companies.

All the attacks above carry a common theme – the hacker groups have deployed malicious software, which is sophisticated, modular and multi-faceted. The cyber-attackers could extract data, destroy data, and control important and sensitive operational technology and machinery. The malware was carefully designed and customized to create the intended damage.

Recent observations by CYFIRMA Research revealed a change in tempo and type of attack mechanisms amongst state-sponsored hacker groups. In Dec 2019, the company’s researchers captured multiple conversations in hackers’ communities discussing the launch of EMOTET campaigns. The hacker groups were all known to be state-affiliated and funded, and the attack mechanism of choice is simply commodity malware. As the name suggests, this sort of malware is designed from readily available tools which hackers can quickly re-jig and launch attacks. In the ensuing months, the number of state-sponsored attacks using commodity malware have continued to rise and following is a sample of campaigns observed:

March 2020

• Campaign: 동쪽의일어나는행동 (The Rising Action of The East)
  Suspected group: Lazarus Group or associated group
  Target: Retails and consumer goods industry
  Motivation: Data exfiltration and extortion
  Observed commodity malware: Agent Tesla and Mirai bot.
• Campaign: 现役军人11 (Active Army11)
  Suspected group: Stone Panda or associated group
  Target: Retail, supply chain transaction, ordering and invoicing systems, manufacturing, and product / IT companies.
  Motivation: Sensitive personal and financial data exfiltration.
  Observed commodity malware: Phorpiex and Emotet.
• Campaign: Unknown
  Suspected group: Fancy Bear or associated group
  Target: Retail and consumer good companies
  Motivation: Financial gain.
  Observed commodity malware: Emotet.

Feb 2020

• Campaign:모래종이(Sandpaper)
  Suspected group: Lazarus Group or associated group
  Target: Large imaging, printing, sharing technology companies, and their product globally.
  Motivation: Stealing of intellectual properties (IP), personal and customer information
  Observed commodity malware: Shlayer and Mirai bot.
• Campaign:紅色撲克10(Redpoker10)

Suspected group: Sone Panda, Gothic Panda, or associated group

Target: Manufacturing / chemical & rubber, product / IT, sporting, tire, retail, cosmetics, critical infrastructure.
Motivation: Sensitive data exfiltration / intellectual properties.
Observed commodity malware: Razy trojan.

• Campaign:颜料(Pigment)
  Suspected group: Stone Panda or associated group
  Target: Large global camera, imaging, productivity devices makers, chemical and iconic tech companies.
  Motivation: stealing of intellectual properties (IP) to promote local imagining/printing companies, causing brand damage.
  Observed commodity malware: Phorpiex.
• Campaign:金色平静(Golden Calm)
  Suspected group: A Chinese nation-sponsored hacking group
  Target: 8 global electrical and equipment manufacturing companies

Motivation: Stealing of supply/inventory information, customer information, brand/reputational damage to Japan
Observed commodity malware: Necurs Bot and Bashlite.

• Campaign:人类分裂(Mankind)
  Target: Large engineering companies, shipping and container technology, and electrical equipment-making companies, from Japan, Taiwan, USA

Motivation: Intellectual property and trade secret theft, reputational damage
Suspected group: Stone Panda or associated group
Observed commodity malware: Phorpiex, and Shade

Developing and emerging nations have also entered the fray, many trying to build cyber capabilities with limited know-how and skills. Utilizing readily available malware would provide easy entry into the world of cyber espionage. These emerging nations would leverage commodity malware for a start, and should they gain expertise over time, the attack mechanism may evolve to be just as sophisticated as the developed nations.

While the world tries to cope with the new players, the more mature state-sponsored actors have progressed to using deception techniques to create confusion. By leveraging on commodity malware, they are attempting to operate under the cloak of anonymity to avoid being identified as state-sponsored hacker groups. Commodity malware can, at times, fall outside the radar as security analysts deem them to be of low threat to the organization. When remediation actions are not taken immediately, hackers can install another malware for further intrusion. A simple commodity malware becomes a ‘Launch Pad’ and could result in a catastrophic outcome for the compromised organization.

The state-sponsored hacker groups have also started to collaborate, exchange information, and share attack mechanisms, as CYFIRMA Research has observed between Chinese Stone Panda and North Korean Lazarus hacker groups. By teaming to take down a common adversary, they increase efficiency and achieve their objective faster.

The accelerated pace which technology is progressing in the areas of artificial intelligence and machine learning as well as faster processing power of computer servers fuel the speed which malware can be replicated.

Despite the awareness of cybersecurity as a key domain in both government and business, the number of data breaches have not abated over time. In fact, the number of attacks and the cost of data breaches have been growing exponentially. Nation-state cyber conflicts are likely to escalate, and with it, collateral damage to commercial enterprises.

Our Recommended Remediation for Commodity Malware

To effectively prevent, detect, and respond to the malware attacks, we recommend the following actions:

• Minimize the duration between compromise and remediation:
  Since immediate remediation is often difficult for internet-facing servers, resolution time between initial compromise and resolution should be measured and evaluated as a performance factor of the organization security posture.
• Isolate compromised systems:
  If the complete remediation cannot be taken immediately, the compromised systems should be isolated neither from the Internet nor intranet until all investigation and remediation completed. In case that multiple compromised systems and investigation system requires network access to them, the isolated network, which is equal to air-gapped network having no connection to any other network, should be implemented during the investigation.
• Prioritize targeted attacks using commodity malware:
  Even if detected malware on an internet-facing server is commodity and not causing damage, investigate all related events and remediate as soon as possible. Similarly, if commodity malware attached to a spear-phishing email that is fully targeted to a specific user or department, investigate all related events and remediate immediately.
• Confirm no additional activity take by detected malware:
  Even if remediation actions are taken for commodity malware incidents immediately or automatically, make sure no additional activities that has not been taken care by the remediation actions. EDR, SIEM, and other behavior monitoring solutions should be utilized to confirm this.