By Masahiro Yamada
The raging COVID-19 pandemic has revealed many active fault lines among nation states and segments of society. We have observed the tirades between the US and China, India and Pakistan, and other divisions that push for national supremacy. Not just in the conventional news media but in the underground forums across the dark web. Beyond the usual trading of illicit goods and services, the echoes of hacker groups have grown stronger over the course of the pandemic crisis. And one key observation stands out from the noise.
Suspected state-sponsored or affiliated groups are joining forces to amass greater firepower in their covert cyber criminal activities. These groups recognize the immense potential of partnership and the richer rewards that come with the ability to reach a wider base of potential victims. By increasing their malware distribution network, and synchronizing their mega-phishing campaigns, their ability to inflict pain on enemy states increases multi-fold.
The impact of collaboration is the increased velocity and effectiveness of cyberattacks against businesses and corporations; for example, the combined groups optimize their resources by sharing information on vulnerabilities of Internet-facing servers, appliances, and devices. By doing so, they circumvent the tedious process of port scanning, framework and application identification – the ‘prep work’ needed before malware infiltration – and move quickly toward reconnaissance and exploitation.
In March and April 2020, we decoded signals from the dark web showing hacker-teamwork in action.
Campaign: VISION2025
Original operation: MISSION2025 (APT41)
Possible Joint-operations Codename: Stone Panda (APT10)
Target: Manufacturing companies in the US, UK, France, Italy, and Japan
Motivation: Exfiltrate supply chain and third-party information, PII, and logistics software architecture and design to cause brand and reputation damage
Potential TTPs: Vulnerability exploits, open proxy usage, TOR nodes, commodity malware.
Method: Launch reconnaissance campaign to collect vulnerable targets, gain access into them using custom-built exploit. Focus is on taking over administrative accounts using specialized malware implants
Campaign: 醒来 (Wakeup)
Original operation: MISSION2025 (APT41) and Gothic Panda (APT3)
Possible Joint-operations Codename: Stone Panda (APT10)
Target: B2C e-commerce companies, transportation, logistics, and research companies
Motivation: Exfiltrate supply chain and third-party information, PII, and logistics and delivery software architecture and design to cause brand and reputation damage
Potential TTPs: Vulnerability exploits, open proxy usage, unsigned fake applications, commodity malware
Method: Launch reconnaissance campaign to collect vulnerable targets, gain access into them using custom-built exploit. The focus is on taking over administrative accounts using specialized malware implants. Focus is on taking over administrative accounts using specialized malware implants
Campaign: 열한 일족 (Eleven Clan)
Original operation: Lazarus Group (APT38, Hidden Cobra)
Possible Joint-operations Codename: Reaper (APT37, Reaper)
Target: Communication technology companies, postal departments, cargo companies and telecommunication companies
Motivation: Exfiltration of personal, customer information, payment details and consignment information
Potential TTPs: SSH bruteforce, open proxy usage, phishing domains, android spyware, commodity malware
Method: Use of data exfiltration malware on web and operating system vulnerabilities to extract databases
Campaign: просветление (Enlightenment)
Original operation: Fancy Bear (APT28)
Possible Joint-operations Codename: Turla
Target: Large energy, power, Infrastructure, chemical and manufacturing industries
Motivation: Brand and reputation damage and/or financial gain
Potential TTPs: IoT bot infrastructure, open proxy usage, TOR nodes
Method: Malware and Trojan implants
The sudden onset of the pandemic crisis has caught many governments and businesses off-guard. The usual business continuity and SOP (standard operating process) methodology has not catered for a disaster of such massive scale. When hundreds of millions of workers have to switch to working from home, networks, systems, business applications and even laptops and PCs present an unprecedented challenge to IT departments all over the world.
Cybersecurity leaders are struggling to enforce previously designed policies around software upgrades, patching process, identity and access management, and many others. Delays in any of these fundamental security operations open businesses to many known and unknown threats. With their the defense capabilities weakened, these businesses are vulnerable to state-actors who are using collaborated cyber-weapons to build initial foothold before extending their cyber-espionage as the pandemic crisis persist.
To survive the COVID-19 upheaval, organizations cannot continue in their state of inertia; they should swiftly adopt an agile and dynamic cybersecurity strategy to understand their threat landscape holistically. By incorporating cyber-intelligence, businesses can minimize and overcome the cyber risk presented by the arrival of the pandemic.