ESET APT Exercise Report Q2–Q3 2023 summarizes the actions of chosen superior persistent risk (APT) teams that had been noticed, investigated, and analyzed by ESET researchers from April 2023 till the top of September 2023. Within the monitored timespan, we noticed a notable technique of APT teams using the exploitation of recognized vulnerabilities to exfiltrate information from governmental entities or associated organizations. Russia-aligned Sednit and Sandworm, North Korea-aligned Konni, and geographically unattributed Winter Vivern and Sturgeon Phisher seized the chance to use vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Home windows (Sednit) to focus on numerous governmental group in Ukraine, Europe, and Central Asia. Relating to China-aligned risk actors, GALLIUM most likely exploited weaknesses in Microsoft Change servers or IIS servers, extending its concentrating on from telecommunications operators to authorities organizations all over the world; MirrorFace most likely exploited vulnerabilities within the Proself on-line storage service; and TA410 most likely exploited flaws within the Adobe ColdFusion utility server.
Iran- and Center East-aligned teams continued to function at excessive quantity, primarily specializing in espionage and information theft from organizations in Israel. Notably, Iran-aligned MuddyWater additionally focused an unidentified entity in Saudi Arabia, deploying a payload that means the potential of this risk actor serving as an entry growth staff for a extra superior group.
The prime goal of Russia-aligned teams remained Ukraine, the place we found new variations of the recognized wipers RoarBat and NikoWiper, and a brand new wiper we named SharpNikoWiper, all deployed by Sandworm. Curiously, whereas different teams – comparable to Gamaredon, GREF, and SturgeonPhisher – goal Telegram customers to attempt to exfiltrate data or no less than some Telegram-related metadata, Sandworm actively makes use of this service for energetic measure functions, promoting its cybersabotage operations. Nonetheless, essentially the most energetic group in Ukraine continued to be Gamaredon, which considerably enhanced its data-collecting capabilities by redeveloping present instruments and deploying new ones.
North Korea-aligned teams continued to concentrate on Japan, South Korea, and South Korea-focused entities, using fastidiously crafted spearphishing emails. Probably the most energetic Lazarus scheme noticed was Operation DreamJob, luring targets with faux job presents for profitable positions. This group constantly demonstrated its functionality to create malware for all main desktop platforms. Lastly, our researchers uncovered the operations of three beforehand unidentified China-aligned teams: DigitalRecyclers, repeatedly compromising a governmental group within the EU; TheWizards, conducting adversary-in-the-middle assaults; and PerplexedGoblin, concentrating on one other authorities group within the EU.
Malicious actions described in ESET APT Exercise Report Q2–Q3 2023 are detected by ESET merchandise; shared intelligence is primarily based on proprietary ESET telemetry information and has been verified by ESET researchers.
Nations, areas, and verticals affected by the APT teams described on this report embody:
