Advanced Persistent Threat


NEWS 
  • Turla turns PowerShell into a weapon in attacks against EU diplomats

    May 30, 2019

    A cyberespionage group believed to be from Russia is once again striking political targets, and this time, PowerShell scripts have been weaponized to increase the power of their attacks. Turla, also known as Snake or Uroburos, has been active since at least 2008. The advanced persistent threat (APT) group was previously linked to a backdoor implanted in ...

  • New HiddenWasp malware found targeting Linux systems

    May 29, 2019

    Security researchers have found a new strain of Linux malware that appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems. Named HiddenWasp, this malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. The malware has a similar structure to another recently-discovered ...

  • ScarCruft APT Adds Bluetooth Harvester to its Malware Bag of Tricks

    May 11, 2019

    The ScarCruft Korean-speaking APT is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT. An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used ...

  • North Korea debuts new Electricfish malware in Hidden Cobra campaigns

    May 10, 2019

    The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a joint security advisory warning of a new strain of malware being used in North Korean cyberattacks. Dubbed Electricfish, the malware was uncovered while the departments were tracking the activities of Hidden Cobra, a threat group believed to be state-sponsored and ...

  • Mysterious hacker has been selling Windows 0-days to APT groups for three years

    May 1, 2019

    For the past three years, a mysterious hacker has been selling Windows zero-days to at least three cyber-espionage groups, as well as cyber-crime gangs, researchers from Kaspersky Lab have told ZDNet. The hacker’s activity reinforces recent assessments that some government-backed cyber-espionage groups –also known as APTs (advanced persistent threats)– will regularly buy zero-day exploits from third-party entities, ...

  • APT trends report Q1 2019

    April 30, 2019

    For just under two years, the Global Research and Analysis Team (GReAT) at Kaspersky Lab has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. ...

  • I know what you did last summer, MuddyWater blending in the crowd

    April 29, 2019

    MuddyWater is an APT with a focus on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and also a few other countries in nearby regions (Azerbaijan, Pakistan and Afghanistan). MuddyWater first surfaced in 2017 and has been active continuously, targeting a large number of organizations. First stage infections ...

  • Source code of Iranian cyber-espionage tools leaked on Telegram

    April 17, 2019

    In an incident reminiscent of the Shadow Brokers leak that exposed the NSA’s hacking tools, someone has now published similar hacking tools belonging to one of Iran’s elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten. The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless. The tools have been ...

  • Pirates of Brazil: Integrating the Strengths of Russian and Chinese Hacking Communities

    April 16, 2019

    Each country’s hackers are unique, with their own codes of conduct, forums, motives and payment methods. Recorded Future’s Portuguese-speaking analysts, with a long-standing background in the Brazilian underground, have analyzed underground markets and forums tailored to the Brazilian Portuguese audience over the past decade and discovered a number of particularities in content hosted on forums, ...

  • Pharma Giant Bayer ‘Contains’ Cyber Attack

    April 4, 2019

    German firm detected hacker code and covertly monitored it for over a year, before clearing it from network Security officials at the German multinational pharmaceutical and life sciences giant Bayer AG seem to be on the ball after they detected and then contained a cyber attack. It is reported that the Winnti hacking group had gained access ...

  • Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

    March 27, 2019

    Although heavily focused on the Middle East, Elfin (aka APT33) has also targeted a range of organizations in the U.S. including a number of major corporations. The Elfin espionage group (aka APT33) has remained highly active over the past three years, attacking at least 50 organizations in Saudi Arabia, the United States, and a range of ...

  • OceanLotus adopts public exploit code to abuse Microsoft Office software

    March 21, 2019

    The OceanLotus hacking group is back with a new campaign in 2019 complete with new exploits, decoys, and self-extracting malicious archives. Also known as APT32, SeaLotus, APT-C-00, and Cobalt Kitty, OceanLotus is a hacking group which operates across Asia and focuses on gathering valuable intel on corporate, government, and political entities across Vietnam, the Philippines, Laos, ...

  • The fourth horseman: CVE-2019-0797 vulnerability

    March 13, 2019

    The new zero-day in the Windows OS exploited in targeted attacks In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. ...

  • Researchers Link ‘Sharpshooter’ Cyber Attacks to North Korean Hackers

    March 4, 2019

    Security researchers have finally, with “high confidence,” linked a previously discovered global cyber espionage campaign targeting critical infrastructure around the world to a North Korean APT hacking group. Thanks to the new evidence collected by researchers after analyzing a command-and-control (C2) server involved in the espionage campaign and seized by law enforcement. Dubbed Operation Sharpshooter, the cyber espionage ...

  • Bronze Union APT Updates Remote Access Trojans in Fresh Wave of Attacks

    February 27, 2019

    The notorious Chinese-linked threat group, dubbed Bronze Union, has been spotted in a widespread 2018 campaign updating its arsenal of cyberweapons by breathing new life into old tools. The threat group was spotted in 2018 using updated source code to target data owned by political, technology, manufacturing and humanitarian organizations, researchers with the Dell Secureworks Counter ...

  • APT Adversaries Up the Ante on Speed, Target Telecom

    February 19, 2019

    Despite law-enforcement wins in the form of several high-profile arrests and indictments during 2018, nation-state adversaries have upped their games when it comes to speed. That’s according to CrowdStrike’s 2019 Global Threat Report, which found that when analyzing how long it takes to go from initial compromise to the attacker’s first lateral movement within the network, Russian-speaking APTs (such ...

  • North Korea Turns Against New Targets?!

    February 19, 2019

    Over the past few weeks, we have been monitoring suspicious activity directed against Russian-based companies that exposed a predator-prey relationship that we had not seen before. For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain threat group or another is ...

  • The APT Name Game: How Grim Threat Actors Get Goofy Monikers

    February 5, 2019

    What’s in a name? When it comes to advanced persistent threat groups, it is often quite a bit. While their monikers’ may seem whimsical – Fancy Bear, Nomadic Octopus, Ocean Lotus and Darkhotel – the reality is these are not arbitrary names. In fact, many are similar to schoolyard nicknames or a type of shorthand – ...

  • Chafer APT Takes Aim at Diplomats in Iran with Improved Custom Malware

    February 1, 2019

    The Remexi spyware has been improved and retooled. An Iran-linked APT known as Chafer has been targeting various entities based in Iran with an enhanced version of a custom malware. Meanwhile the victimology suggests the threat group is waging a cyber-espionage operation against diplomats there. Over the course of the autumn, analysts at Kaspersky Lab observed attackers ...

  • FBI Mapping ‘Joanap Malware’ Victims to Disrupt the North Korean Botnet

    January 31, 2019

    The United States Department of Justice (DoJ) announced Wednesday its effort to “map and further disrupt” a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade. Dubbed Joanap, the botnet is believed to be part of “Hidden Cobra“—an Advanced Persistent Threat (APT) actors’ group often known as ...