The ESET Research Center has published the latest APT Activity Report, which presents the activities of selected groups of advanced persistent threats (APT) recorded by ESET researchers from April 2024 to the end of September 2024. ESET noticed that the MirrorFace group, which is associated with China, has expanded its activities, that is, attacking more targets or new types of targets. The group, which usually focuses on attacks against organizations in Japan, has expanded its activities and is now targeting a diplomatic organization in the European Union for the first time. However, it still considers its goals in Japan more important, which remain its main priority.
Additionally, China-linked APT groups are increasingly relying on the open source SoftEther VPN to gain access to victims' networks. ESET researchers also observed indications that Iran-linked groups may be leveraging cyber capabilities to support spying on diplomatic missions and, potentially, cyber-attacks.
“Regarding China-linked threat groups, we detected extensive use of SoftEther VPN by the Flax Typhoon group, observed the Webworm group using SoftEther VPN Bridge on machines belonging to government organizations in the EU, and observed the GALLIUM group deploying SoftEther VPN servers to telecom operators in Africa,” says Jean-Ian Boutin, Director of Threat Research at ESET. “For the first time, we noticed that the MirrorFace group targeted a diplomatic organization within the EU, an area that remains a focal point for various threat actors close to China, North Korea and Russia. Many of these groups are particularly focused on government agencies and the defense sector," he added.
On the other hand, Iran-linked groups compromised several financial services companies in Africa – a continent geopolitically important to Iran, conducted cyber espionage against Iraq and Azerbaijan, neighboring countries with which Iran has complex relations; and increased their involvement in attacks on Israel's transport sector. Despite the seemingly narrow geographic targeting, groups close to Iran have continued to target diplomatic missions in France and educational institutions in the United States.
Threat actors linked to North Korea have continued their drive to steal funds – cryptocurrencies as well as traditional currencies. We've seen these groups continue their attacks on defense and aerospace companies in Europe and the US, as well as targeting cryptocurrency developers, think tanks and NGOs. One such group, Kimsuky, began making malicious use of Microsoft Management Console files, which are typically used by system administrators but can execute any Windows command. In addition, various groups linked to North Korea frequently abused popular cloud-based services.
Finally, ESET's Research Center identified Russia-linked cyber espionage groups targeting webmail servers such as Roundcube and Zimbra, typically with spearphishing emails that trigger known XSS vulnerabilities. In addition to Sednit targeting government, education, and defense agencies internationally, ESET identified another Russia-linked group, GreenCube, that steals emails via XSS vulnerabilities in Roundcube. Other groups close to Russia have continued to focus on Ukraine, with Gamaredon deploying extensive spearphishing campaigns while retooling by abusing messaging apps Telegram and Signal. In addition, the Sandworm team used their new backdoor for Windows called WrongSens. ESET also analyzed the public data breach and leak from the Polish Anti-Doping Agency, which was likely compromised by an initial access broker who then shared access with the Belarus-linked FrostyNeighbor APT group, a group behind disinformation campaigns against NATO.
In Asia, ESET observed that campaigns continued to focus primarily on government agencies. However, the survey also noted an increased emphasis on education, targeting researchers and academics on the Korean peninsula and Southeast Asia. This shift has been driven by threat actors aligned with the interests of China and North Korea. Lazarus, one of the groups linked to North Korea, has continued to attack entities in the financial and technology sectors internationally. In the Middle East, several APT groups linked to Iran continued to attack government organizations, with Israel being the country most affected.
Over the past two decades, Africa has become an important geopolitical partner for China, and we have seen China-linked groups expand their operations on the continent. In Ukraine, Russia-linked groups continued to be the most active, heavily influencing state agencies, the defense sector and essential services such as energy, water and heat.
The businesses highlighted are representative of the broader threat landscape that ESET investigated during this period. The information presented in the report is mainly based on ESET's proprietary telemetry data. These threat intelligence analyses, known as ESET APT Reports PREMIUM, help organizations tasked with protecting citizens, critical national infrastructure and high-value assets from cyberattacks directed by criminals and nation-states. More information about ESET APT Reports PREMIUM and providing high-quality, strategic, actionable and tactical cyber threat intelligence is available at ESET Threat Intelligence.
You can read it APT Activity Report on ESET's blog, WeLiveSecurity.