Beyond Headlines & Borders: An Overview of Advanced Threats You Should Know

Introduction

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors, often instruments of state power, are formidable adversaries.

Despite vast resources and advanced tools (some countries pour money in to bolster cyber capabilities), these state-linked actors are not invincible. Like any threat actor, they rely on familiar tactics and exploitable patterns and, at times, mirror their less-equipped counterparts, which should be enemy #1 for most defenders.

*We'll avoid using "nation-state" within this post and opt for "state-linked" or "state-associated." If you're interested in this reasoning, I will point you to an excellent thread by @marasawr.

Why Does It Matter?

"Knowing is half the battle," as the old saying goes. But mere awareness falls short regarding cyber threats (sorry, G.I. Joe). Knowing why specific sectors are prioritized and what national policy objectives might drive the next move empowers defenders to anticipate threats proactively and tailor their defenses.

This post provides a high-level overview of a handful of threats you may know and some you may not. The purpose is to motivate readers to move beyond awareness, perhaps conducting additional research, which drives preparedness.

Who Are They?

Sea Turtle (Talos)

Aliases: Teal Kurma (PwC), UNC1326 (Mandiant/Google) MarbledDust (Microsoft)

Suspected Origin:  Turkey

Summary: First reported on by Talos, Sea Turtle has targeted multiple sectors of government and public organizations across Europe and MENA, most notably, the Kurdistan Workers Party, or PKK. With only a handful of reports identifying their campaigns (including some great recent articles by PwC and StrikeReady), the actors are believed to have begun operating in 2017.

Motivations/Sectors Targeted: Sea Turtle focuses on information gathering and surveillance of entities significant to the Turkish government's interests, which guides their targeting. In addition to the above mentioned areas, operations have been detected against telecommunications providers, media organizations, and think tanks.

Malware Used: The group initially made use of DNS Hijacking2 as well as account compromise for initial access. Recently, a reverse shell named SnappyTCP3 targeting Linux/Unix operating systems has been observed in victim environments.

DarkHotel (Kaspersky)

Aliases: Higaisa (Tencent), Fallout Team (CrowdStrike), Zigzag Hail (Microsoft)

Suspected Origin:  South Korea

Summary: With probably one of the cooler names among the groups highlighted in this post, DarkHotel, believed to be based in South Korea, received its moniker from Kaspersky4 for using hotel wi-fi to target their victims. Believed to have been active since 2009, these actors are busy and seemingly have their campaigns outed in a report at least once a year.

Motivations/Sectors Targeted: Initial campaigns by the group focused on business travelers (likely for surveillance or information gathering) and expanded to include research and development, political figures5, governments, and the medical field, among others.

Malware Used: One of the more interesting tools DarkHotel used was "Ramsay"6, which targeted air-gapped networks. Researchers have also reported that the group uses Gh0st RAT and PlugX; although both are available through various means, these tools have historically been associated with Chinese threat actors.

ShroudedSnooper (Talos)

Aliases: N/A

Suspected Origin: Unknown

Summary: Not much is known about this group, as the only publicly available reporting was released just a few months ago by Talos7.

Motivations/Sectors Targeted: The report above indicates that the group goes to great lengths to evade defenses by disguising their malware as popular networking software. Targeting telecommunications companies in the Middle East hints towards information theft, espionage, and possible surveillance of specific persons or groups.

Malware Used: ShroudedSnooper has used two backdoors, HTTPSnoop and PipeSnoop. Talos' report indicates that the group targets public-facing servers and attempts to evade defenses by spoofing Microsoft Exchange Web Services.

MuddyWater (Palo Alto)

Aliases: Seedworm (Symantec), Static Kitten (CrowdStrike), TA450 (Proofpoint), Mango Sandstorm (Microsoft)

Suspected Origin:  Iran

Summary: Active since 2017 and believed to be associated with Iran's MOIS, MuddyWater has consistently targeted the Middle East, Africa, Asia, and Europe to accomplish its goals.

Motivations/Sectors Targeted: Espionage is the main focus of the group. Victims include governments, private organizations, telecommunications companies, and critical infrastructure. Siphoning information once on the objective is the group's primary focus, and deploying keyloggers allows the theft of credentials for follow-on attacks.

Malware Used: MuddyWater maintains a diverse toolkit to preserve access and move through victim networks quickly. Tools used in recent and previous operations include MuddyC2Go8, heavy use of custom scripts, Revsocks9, and a SOCKS5 proxy server, Koadic, LaZagne, and PowerSploit.

Scarcruft (Kaspersky)

Aliases: APT37 (Mandiant/Google), Ricochet Chollima (CrowdStrike), RubySleet (Microsoft), InkySquid (Volexity)

Suspected Origin:  North Korea

Summary: Active since 2012, the group, more commonly referred to as APT37 has primarily targeted their neighbors in South Korea but is also known to target Japan, Russia, China, and the Middle East.

Motivations/Sectors Targeted: Top priorities include espionage, information gathering, and surveilling those who oppose the regime. Media organizations, governments, think tanks, and even cybersecurity professionals were targeted by scarcruft.

Malware Used: Some tools Scarcruft has been reported using RokRAT, Cobalt Strike, Gold Backdoor, and Konni, among many others.

Sidewinder (Kaspersky)

Aliases: Razor Tiger (CrowdStrike)

Suspected Origin:  India

Summary: Sidewinder puts the "P" in persistent threats. While the group has targeted several countries in Asia, Pakistan (specifically the military) has garnered much of their attention.  Almost daily, domain names targeting some wing of the Pakistani armed forces with registration characteristics linked to the group are activated for malware and phishing campaigns.

Motivations/Sectors Targeted: The group's primary focus appears to be intelligence gathering on the Pakistani government, media, and financial institutions. However, China, Nepal, and Afghanistan have also been targeted. The theft of sensitive information from their victims makes the group a formidable and persistent foe.

*If you're interested in hunting malicious infrastructure10, this group is for you. While not the most advanced in building or hiding suspicious domains, their willingness to keep operating no matter how often their servers are outed on public platforms will keep defenders busy.

Malware Used: Spear-phishing using malicious Office and shortcut files allows initial access into victim environments. Tools used include Koadic, and WarHawk.

Iron Tiger (Trend Micro)

Aliases: APT27 (Mandiant/Google), LuckyMouse (Kaspersky), Budworm (Symantec), Bronze Union (SecureWorks)

Suspected Origin:  China

Summary: From spear-phishing to watering holes to multiple malware tools at the ready, Iron Tiger is one group that maintains a steady operation cycle, making minor changes to evade defenders. Since 2010, the group has targeted governments, telecom, defense, and private sectors worldwide.

Motivations/Sectors Targeted: Highly skilled and capable, the group has shown a penchant for stealing sensitive information, likely for political and economic gain, in addition to surveillance.

Malware Used: Tools used by Iron Tiger include China Chopper, Gh0st, HTran, HyperBro, PlugX, ASPXSPY, etc.

APT28 (Mandiant/Google)

Aliases: Sofacy (Kaspersky), Fancy Bear (CrowdStrike), Pawn Storm (Trend Micro), TG-4127 (SecureWorks)

Suspected Origin:  Russia

Summary: From election interference to false flags, Olympic committees, and energy facilities, just to name a few, it's safe to say Fancy Bear stays quite busy.  Active since 2004 and tied to the Russian GRU, we could easily take a whole blog post just to detail some of the headline-grabbing campaigns associated with these actors.

Motivations/Sectors Targeted: Likely under the direction of the Russian government, APT28 has targeted governments, the World Anti-Doping Agency, energy facilities, and technology companies. These operations have been conducted to counter existing narratives around the government, sway public opinion, information theft, and counter-intelligence.

Malware Used: Notable malicious software the group uses include Headlace, Graphite, Zebrocy, Sedkit, Koadic, X-Tunnel, DealersChoice, and HIDEDRV, just to name a few.

Conclusion

From state-fueled espionage to financially motivated exploits, these actors employ various tactics, from custom malware and targeted phishing to persistent infiltration. By staying informed of these adversaries, implementing layered security measures, and fostering a culture of awareness, we can effectively navigate these complexities and mitigate the risks posed by both advanced and low-level or opportunistic threats.

Choose from over 110 malware, phishing, and red team tools to gain real-time visibility with Hunt's C2 tracking platform. Apply for an account today and hunt smarter, not harder.

1. (https://twitter.com/marasawr/status/1034848269300629504)

2. (https://blog.talosintelligence.com/seaturtle/)

3. (https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html)

4. (https://securelist.com/the-darkhotel-apt/66779/)

5. (https://labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/)

6. (https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/)

7. (https://blog.talosintelligence.com/introducing-shrouded-snooper/)

8. (https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel)

9. (https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms)

10. (https://www.group-ib.com/blog/hunting-sidewinder/)