Advanced Persistent Threat


NEWS 
  • Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors

    October 11, 2021

    DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime ...

  • Microsoft: Russian state hackers behind 53% of attacks on US govt agencies

    October 8, 2021

    Microsoft says that Russian-sponsored hacking groups are increasingly targeting US government agencies, with roughly 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 coming from Russia. “Russian nation-state actors are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely ...

  • Google warns 14,000 Gmail users targeted by Russian hackers

    October 7, 2021

    Google has warned about 14,000 of its users about being targeted in a state-sponsored phishing campaign from APT28, a threat group that has been linked to Russia. The campaign was detected in late September and accounts for a larger than usual batch of Government-Backed Attack notifications that Google sends to targeted users every month. Shane Huntley, who ...

  • BlackBerry ties malware campaign targeting victims in India to Chinese cyberespionage group

    October 5, 2021

    The BlackBerry Research & Intelligence team released a new report on Tuesday linking disparate malware campaigns to Chinese cyberespionage group APT41, noting that the group has been taking advantage of Cobalt Strike activity using a bespoke Malleable C2 Profile that uses COVID-19 phishing lures to target victims in India. The team was able to link phishing ...

  • New APT ChamelGang Targets Russian Energy, Aviation Orgs

    October 1, 2021

    A new APT group has emerged that’s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at security firm Positive Technologies have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. ...

  • GhostEmperor: From ProxyLogon to kernel mode

    September 30, 2021

    While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out for its usage of a formerly unknown Windows kernel mode rootkit that we dubbed Demodex, and a sophisticated multi-stage malware framework aimed at providing remote control over ...

  • DarkHalo after SolarWinds: the Tomiris connection

    September 29, 2021

    In December 2020, news of the SolarWinds incident took the world by storm. While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. It is believed that when FireEye ...

  • New advanced hacking group targets governments, engineers worldwide

    September 23, 2021

    A new hacking group targeting entities worldwide to spy on them has been unmasked by researchers. Dubbed FamousSparrow by ESET, on Thursday, the team said that the advanced persistent threat (APT) group — many of whom are state-sponsored — is a new entry to the cyberespionage space. Believed to have been active since at least 2019, the ...

  • Russian state hackers use new TinyTurla malware as secondary backdoor

    September 21, 2021

    Russian state-sponsored hackers known as the Turla APT group have been using new malware over the past year that acted as a secondary persistence method on compromised systems in the U.S., Germany, and Afghanistan. Named TinyTurla due to its limited functionality and uncomplicated coding style, the backdoor could also be used as a stealthy second-stage malware ...

  • An American Company Fears Its Windows Hacks Helped India Spy On China And Pakistan

    September 17, 2021

    Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyberespionage campaign targeting Microsoft Windows PCs at government and telecom entities in China and Pakistan. They began in June 2020 and continued through to April 2021. What piqued the researchers’ interest was the hacking software used by the digital spies, whom Kaspersky had dubbed ...

  • APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

    September 16, 2021

    This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single ...

  • APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs

    September 13, 2021

    In 2019, Trend Micro researchers wrote a blog entry about a threat actor, likely based in Colombia, targeting entities in Colombia and other South American countries with spam emails. This threat actor is sometimes referred to as APT-C-36 or Blind Eagle. Since then, we have continued tracking this threat actor. In this blog entry, we ...

  • US Media, Retailers Targeted by New SparklingGoblin APT

    August 25, 2021

    An emerging international cybergang is broadening its targets to include North American media firms, universities and one computer retailer. The advanced persistent threat (APT) group is new, according to researchers who dubbed it SparklingGoblin. Also new is a novel backdoor technique, called SideWalk, used by the APT to penetrate cybersecurity defenses. SparklingGoblin, according to ESET researchers ...

  • APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign

    August 24, 2021

    Trend Micro researchers have uncovered a cyberespionage campaign being perpetrated by Earth Baku, an advanced persistent threat (APT) group with a known history of carrying out cyberattacks under the alias APT41. This is not the group’s first foray into cyberespionage, and its long list of past cybercrimes also includes ransomware and cryptocurrency mining attacks. Earth Baku ...

  • The Next Disruptive ICS Attacker: An Advanced Persistent Threat (APT)?

    August 18, 2021

    No discussion on ICS attacks could be complete without talking about what some would call, ‘the elephant in the room.’ Critical infrastructure has always been a target for warfare, and modern ICS are no exception. Several high-profile ICS disruptions have in fact been attributed to malicious hackers working at the behest of a military or intelligence ...

  • Govt hackers impersonate HR employees to hit Israeli targets

    August 17, 2021

    Hackers associated with the Iranian government have focused attack efforts on IT and communication companies in Israel, likely in an attempt to pivot to their real targets. The campaigns have been attributed to the Iranian APT group known as Lyceum, Hexane, and Siamesekitten, running espionage campaigns since at least 2018. In multiple attacks detected in May and ...

  • Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military

    August 17, 2021

    While investigating the Confucius threat actor, we found a recent spear phishing campaign that utilizes Pegasus spyware-related lures to entice victims into opening a malicious document downloading a file stealer. The NSO Group’s spyware spurred a collaborative investigation that found that it was being used to target high-ranking individuals in 11 different countries. In this blog ...

  • ‘DeadRinger’ Targeted Exchange Servers Long Before Discovery

    August 4, 2021

    Threat actors linked to China exploited the notorious Microsoft Exchange ProxyLogon vulnerabilities long before they were publicly disclosed, in attacks against telecommunications companies aimed at stealing sensitive customer data and maintaining network persistence, researchers have found. Researchers from Cybereason have been tracking multiple cyberespionage campaigns – collectively dubbed “DeadRinger” – since 2017, reporting initially on findings ...

  • Here’s 30 servers Russian intelligence uses to fling malware at the West, beams RiskIQ

    July 30, 2021

    Details of 30 servers thought to be used by Russia’s SVR spy agency (aka APT29) as part of its ongoing campaigns to steal Western intellectual property were made public today by RiskIQ. Russia’s Foreign Intelligence Service “is actively serving malware (WellMess, WellMail) previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada,” ...

  • DOJ: SolarWinds hackers breached emails from 27 US Attorneys’ offices

    July 30, 2021

    The US Department of Justice says that the Microsoft Office 365 email accounts of employees at 27 US Attorneys’ offices were breached by the Russian Foreign Intelligence Service (SVR) during the SolarWinds global hacking spree. “The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020,” the DOJ said ...