Asia has become a major field of play for a growing number of advanced persistent threat (APT) operations run by a mix of well-known and new bad actors, according to threat researchers with Kaspersky Lab.
The attacks in the region, the continued rise of threats directed at network devices, such as VPNFilter, and the return of high-profile cybercriminals -- particularly in Asia -- were among the key findings in the cybersecurity vendor's recently released second-quarter trends report.
The meeting between the leaders of the US and North Korea and similar high-profile situations and the makeup of various nation-state groups in the region most likely played roles in the APT activity in Asia, according to Vicente Diaz, principal security researcher for Kaspersky's Global Research and Analysis Team.
"It is difficult for us to know, but I believe that most of the activity is related to a high number of relevant geopolitical events that happened in the region, especially related to the new position of North Korea and several bilateral talks between countries," Diaz told Security Now in an email. "This also might be related to how some of these nation-state actors act, having several subgroups coordinated instead of a single one who takes care of all the cyberespionage, which produces several small groups instead of a single larger campaign."
The researchers pointed to such known groups as Lazarus and Scarcruft -- both believed to have links to North Korea -- as being particularly active actors in the region -- and noted a Russian-speaking group called Turla that used an implant called LightNeuron to target victims in Central Asia and the Middle East.
"Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor," the Kaspersky researchers wrote on a post on the company's SecureList site. "One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME."
APTs new and old
Among the APTs noted by Kaspersky was an effort by the Lazarus splinter group BlueNoroff to target financial institutions in Turkey -- as part of a larger cyberespionage campaign -- and casinos in Latin America. Researchers also saw Scarcruft using Android malware and using a backdoor called PoorWeb in another operation. There also was the return of the bad actors behind Olympic Destroyer, the malware that hit the opening of the Winter Olympics in South Korea. An operation targeting organizations in Europe involved in protecting against chemical and biological attacks use tools and spear-phishing documents similar to Olympic Destroyer campaign. (See Olympic Destroyer Returns With Attacks in Europe.)
There were other notable returns, such as WhiteWhale, a threat actor that has been relatively low-profile since 2016 that apparently is behind a new campaign discovered in April that include the distribution of Taidoor and Yalink malware families, primarily aiming at Japanese victims.
Diaz noted that there could be numerous reasons why such a group may appear to be relatively inactive for a period of time, only to resurface later. They may have been active but undetected or it may be difficult linking particular groups to certain activities. They also could be spending those downtimes to regroup.
"It is also true that these actors need to evolve from time to time, working with new tools and techniques," he wrote. "Sometimes we observe old artifacts being reworked (like with Kimsuky), but other groups and newcomers just decide to start in this business with a simple approach where only a few customized droppers and generally available tools for lateral movement are required."
It also highlights different approaches by different groups.
Economically speaking, it makes sense for groups to use tools that are freely available rather than more expensive ones. At the same time, Kaspersky sees that more advanced bad actors "have all the zero-days they need in their pocket and are ready to burn them when necessary," Diaz said.
The researchers found the VPNFilter campaign was the most notable operation during the second quarter, which infected more than 500,000 domestic routers around the world. The campaign, which the FBI attributed to the Sofacy and Sandworm APT groups, highlights the threats to networks that Kaspersky analysts said they have been warning about. (See Talos: VPNFilter Malware Still Stands at the Ready.)
"Networking hardware... has always been vulnerable to some degree," Diaz added. "Since Regin, we have seen examples of nation-state actors targeting such devices. The problem is that it is difficult to find the malware inside given that networking devices are traditionally poorly monitored. One of the main problems is the lack of updates and the poor configuration of such devices (many times using default passwords)."
It's been relatively easy to infect networks "with huge IoT botnets in the past and it is natural that several actors start developing their artifacts to target such devices," he said. "I'm confident we will see many more examples in the future."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.