Key Intelligence Signals:
Suspected Threat Actors: Kimsuki
Researchers have recently spotted the North Korean espionage-focused threat actor group Kimsuki leveraging three different Android malware strains namely FastFire, FastViewer, and FastSpy to target users located in its southern counterpart. As per researchers FastFire and FastViewer impersonate “Google security plugin” and “Hancom Office Viewer” respectively, and FastSpy is a RAT based on AndroSpy.
The FastFire malware is considered to be currently under development by the Kimsuki threat actor group. Unlike getting direction from Command & Control (C2) server through HTTP/S as in the traditional manner, it makes use of Firebase – an application development environment by Google.
FastViewer is capable of reading the Hangul documents (.hwp) used in Korea and can download additional malware once stealing data from an infected device.
The FastSpy malware is downloaded by the FastViewer malware and receives its commands through TCP/IP protocol from the attacker’s server. FastSpy is based on the code of AndroSpy which is an open-source RAT.
The Kimsuky threat actor group is believed to be tasked by the North Korean regime with a global intelligence-gathering mission and targets individuals and private organizations in the US, Japan, and South Korea. In August of this year, the threat actor group was linked to a set of malicious activities against South Korean politicians and diplomats using a previously undocumented malware dubbed GoldDragon.
Researchers highlight that the use of FireBase as C2 is one of their advanced tactics. The Kimsuky threat actor group is advancing its strategy to target mobile users with sophisticated attacks.
The US Department of Justice has announced the unsealing of 3 cases against 13 Chinese nationals, including ten Chinese intelligence officers. One case revolves around a Chinese front organization, posing as a legitimate think tank, that had allegedly been engaged in theft of American intellectual property and free speech impingement regarded to cases and situations it assessed as opposing an image of China painted by the communist government. Four individuals were charged in this case. Another case involves charges against two Chinese intelligence officers who supposedly bribed a US citizen who was supposedly in a position to reveal sensitive information about the US prosecution of an unnamed Chinese telecom company. The DOJ has not identified the company in question; however, the company is very likely to be Chinese 5G champion Huawei. In the last case, seven individuals were indicted. The case revolves around China’s Operation Fox Hunt, a long-running program of forcible repatriation of Chinese nationals who have emigrated to other countries, and who are regarded as a threat to the reputation or security of the communist government in Beijing. The targeted dissidents and their family members were allegedly subjected to physical intimidation, frivolous lawsuits, threats, and other harassment. All three cases came to light as an embarrassment during CCP’s 20th congress and are likely to be met with a counteroffensive in cyberspace targeting sensitive industries and American midterm elections.
Norway has recently replaced Russia as Europe’s main source of natural gas, and military experts suspect Russia is now surveying Norwegian gas & oil infrastructure for potential vectors of attack. In recent weeks, many Norwegian energy installations were probed by buzzing drones and several Russian citizens have already been arrested for the illegal operation of unmanned aircraft over Norwegian oil rigs, natural gas plants, and pipelines. Norwegian authorities list espionage, sabotage, and intimidation as possible motives for the drone flights.
After the Nord Stream pipeline sabotage, Norway is seeking to improve the physical security of its North Sea oil and gas production operations and has openly named Russia as the top threat in the industry. The government in Oslo is also concerned about the risk of a Russian cyberattack against its oil and gas sector. The energy industry in Europe and at large should be in a state of high vigilance against cyberattacks in the coming months.
Tata Power Impacted by Hive Ransomware
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Tata Power (www[.]tatapower[.]com) –the largest power generation company in India – being impacted by the Hive ransomware group. The ransomware group claimed Tata Power as one of their victims by disclosing the update on their dedicated leak site on 24 October 2022. As per the claim the encryption had taken place on 3 October 2022. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated among which it includes employee’s email addresses, addresses, passports details, phone numbers, payments details, taxpayer information, etc. An unknown amount of such data has been made available for download by anyone.