The group maintains a large command and control server infrastructure located in more than 100 servers and 300 domains, including hosts in countries like the US, the UK, Panama, Costa Rica, Colombia, Germany and the Netherlands.
Its victims appear to be highly targeted, including (but not limited to) government and diplomatic institutions, telecoms, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, the media, transport, finance, and businesses working on encryption.
A group codenamed Carbanak had been wanted by international policing agencies for at least five years due to its successfully stealing as much as $1 billion from a series of cyber heists and hacked ATM networks.
Europol in March 2018 believed it had fingered the ringleader for the notorious gang, still unnamed, arresting the figure in Alicante, Spain, after a joint international investigation.
Carbanak (also nicknamed Fin7) sent out highly targeted phishing campaigns – in other words, spear phishing – to trick bank employees into downloading malware. Since late 2013, the gang had used its own type of malware, Anunak and Carbanak, then later utilising a modified version of security testing software called Cobalt Strike, reports Fortune.
The first targets were mostly in Russia, but it then moved on to the USA, Germany, China, and Ukraine.
They targeted banks in more than 40 countries, affectively accounting for a one-gang cyber-heist crimewave. The modified Cobalt attack allowed Carbanak to steal as much as €10 million per heist.
Its ingenious ATM hacks allowed the group to instruct cash machines to dispense currency without even interacting with the terminal. This would then be picked up by mules who transferred it to the SWIFT financial network, and then from there into the attackers’ accounts.
FireEye noted that the group pointed its phishing campaign at the US Securities and Exchange Commission.
According to extensive research from American security vendor FireEye, a cyber espionage unit based in North Korea (Advanced Persistent Threat 37 – nicknamed Reaper) upped its operations in early 2018 and continues to engage in recon missions targeting nation states and state-adjacent organisations.
In 2017, the group targeted a Middle Eastern business that was working with North Korea on a joint project to increase telco services in the country. It also honed in on a Vietnamese trading company, and even individuals working in Olympic organisations.
FireEye states that in addition to nation state-based espionage operations, it also targets defectors from the DPRK, suggesting that it is closely affiliated with the country.
‘Reaper’ attackers made use of vulnerabilities in the Hangul Word Processor, which is widely used in the RoK – South Korea. In addition, it had a cache of zero-days and used them in spear phishing and ‘web compromise operations’, according to FireEye.
The command and control infrastructure made use of compromised servers as well as cloud service providers to muddy attribution and avoid detection, and it also placed malware payloads on compromised but legitimate websites. Email accounts used to leverage attacks evolved from domains associated with South Korea to other providers like Gmail, and Russian services such as Yandex.
FireEye – whose report you can read here (PDF) – says it has assessed with “high confidence” that the group acts “in support of the North Korean government and is primarily based in North Korea”.
The researchers came to this conclusion for a number of different reasons, from who the group was targeting through to “probably links to a North Korean individual believed to be the developer of several of APT37’s proprietary malware families”.
Iron Tiger APT
Possibly emerging from a series of sophisticated and highly targeted attacks in the Asia Pacific region, focusing on politicians and government agencies in China, Hong Kong, the Philippines, and Tibet, the group nicknamed ‘Iron Tiger’ was said to have pivoted towards targets in America, including US government contractors in aerospace, energy, intelligence, telecoms and nuclear.
A Trend Micro report suggested that the attacks originated from China because VPN servers used to launch the attacks were mostly based in the region, the file names and passwords used were Chinese, text resources and language ID in malware binaries were set to simplified Chinese, and Whois data pointed to domains registered to physical addresses in China.
The vendor also pointed the finger at a person called Guo Fei, a Shanghai resident, who it believed was instrumental to the group’s success.
BitDefender in February 2018 discovered variants of the Gh0st RAT trojan used in the Iron Tiger operation for new attacks first flagged in July 2017 – a customised piece of malware called PZChao, suggesting a potential return of the group that had been quiet for several years. A forensic analysis of that new variant is detailed in a whitepaper from the vendor, available for download here.
No list of advanced persistent threat groups would be complete without ‘Fancy Bear’, which was alleged to have played a major part in the hacking of the US Democratic National Committee in the run up to America’s elections (although this was disputed by ‘Guccifer 2.0’, who took credit).
The group, says CrowdStrike, has been on the scene since 2008 and has targeted all the usual sensitive sectors – defence, energy, government, and media – as well as dissidents. It’s widely believed to be at the very least state sponsored, with vendors observing the most likely culprit is Russia.
It is able to run simultaneous operations concurrently and has created its own implant tools, as well as droppers, which are cross-operating systems and can be pointed at mobile devices too.
Fancy Bear was linked with attacks on the German parliament, as well as campaigns to hijack traffic inbound to a Nigerian government website.
The group had also developed malware to target Apple devices, which was capable of reading text messages and secretly recording audio – a useful espionage tool in any nation’s arsenal.
For the long list of prominent attacks and campaigns head over to the Wikipedia page here, where you can read about the attack on the Bundestag, and even an attempt to cripple Ukraine’s artillery.
(Reporting by Tamlin Magee, Computerworld UK)