ESET Research recently released their APT Activity Report for Q2 2024–Q3 2024, providing an overview of the activities of selected advanced persistent threat (APT) groups that were investigated and analyzed by their researchers during this period. The report highlights the key trends and developments in cybersecurity threats and offers insight into the operations of various APT groups.
One of the notable findings in the report is the increased targeting by China-aligned APT group MirrorFace. While they have traditionally focused on Japanese entities, MirrorFace expanded its operations to include a diplomatic organization in the European Union (EU) for the first time. In addition to this new target, China-aligned APT groups have been utilizing the open-source and multiplatform SoftEther VPN to maintain access to victims’ networks. This was observed in the activities of groups like Flax Typhoon, Webworm, and GALLIUM, who used SoftEther VPN in their cyber operations.
The report also sheds light on the activities of Iran-aligned APT groups, which appear to be leveraging their cyber capabilities to support diplomatic espionage and potentially kinetic operations. These groups targeted financial services firms in Africa, engaged in cyberespionage against countries like Iraq and Azerbaijan, and showed an increased interest in the transportation sector in Israel. Despite their specific geographical focus, Iran-aligned groups maintained a global presence by targeting diplomatic envoys in France and educational organizations in the United States.
North Korea-aligned threat actors continued to pursue the regime’s objectives, which include stealing funds to support weapons of mass destruction programs. These groups targeted defense and aerospace companies in Europe and the US, as well as cryptocurrency developers, think tanks, and NGOs. One group, Kimsuky, started abusing Microsoft Management Console files in their attacks, while others misused popular cloud-based services like Google Drive and Microsoft OneDrive. Notably, ScarCruft was identified as the first APT group to abuse Zoho cloud services in their malicious activities.
Russia-aligned cyberespionage groups were also active during this period, frequently targeting webmail servers with spearphishing emails that exploit known vulnerabilities. Groups like Sednit and GreenCube were observed stealing email messages via XSS vulnerabilities in Roundcube. Russia-aligned groups also maintained their focus on Ukraine, with Gamaredon conducting spearphishing campaigns and Sandworm utilizing new malware like WrongSens, LOADGRIP, and BIASBOAT. Operation Texonto, a disinformation and psychological operation aimed at demoralizing Ukrainians, was also detected during this period.
The report also highlights the malicious activities of the South Korea-aligned APT-C-60 group, who exploited a remote code execution vulnerability in WPS Office for Windows. This attack underscores the ongoing threat posed by various APT groups across the globe and the importance of cybersecurity vigilance.
Overall, the ESET APT Activity Report for Q2 2024–Q3 2024 provides valuable insights into the activities of APT groups and the evolving cybersecurity landscape. Customers of ESET’s private APT reports gain access to even more detailed intelligence data to protect against these threats. For more information, visit the ESET Threat Intelligence website and follow ESET Research on Twitter for regular updates on key trends and top threats.