New targets, campaigns mark Q2 cyber-threats
DURING the second three months of 2018, Kaspersky Lab researchers observed an active landscape of APT operations, based mainly in threat actors.
A number of groups targeted or timed their campaigns around sensitive geopolitical incidents. These and other trends are covered in Kaspersky Lab’s latest quarterly threat intelligence summary.
In the second quarter of 2018, Kaspersky Lab researchers continued to uncover new tools, techniques and campaigns being launched by advanced persistent threat (APT) groups, some of which had been quiet for years.
Asia remained the epicenter of APT interest: regional groups, such as the Korean-speaking Lazarus and Scarcruft were particularly busy, and researchers discovered an implant called LightNeuron being used by the Russian-speaking Turla to target Central Asia and the Middle East.
Highlights in Q2, 2018 include the return of the actor behind Olympic Destroyer. After its January 2018 attack against the Pyeongchang Winter Olympic games, researchers discovered what they believed was new activity by this
Russia, and biochemical threat prevention laboratories in Europe and Ukraine. A number of indicators suggest a low to - pic Destroyer and the Russian speaking threat actor, Sofacy.
While Lazarus/BlueNoroff gave indi-
- key as part of a bigger cyberespionage campaign, as well as casinos in Latin America. These operations suggest that
for this group, despite the ongoing North Korean peace talks.
Further, researchers observed relatively high activity from the Scarcruft APT, with the threat actor using Android malware and launching an operation with a new backdoor researchers have named POORWEB.
In addition, LuckyMouse APT, a Chinese-speaking threat actor also known as APT 27, which had previously been observed abusing ISPs in Asia for waterhole
was also found to be actively targeting Kazakh and Mongolian governmental entities around the time these governments held their meeting in China.
The VPNFilter campaign uncovered by Cisco Talos and attributed by the FBI to Sofacy or Sandworm, revealed the immense vulnerability to attack of domestic networking hardware and storage solutions. The threat can even inject malware
behind the infected networking device.
traces of this campaign can be found in almost every single country.
“The second quarter of 2018 was very interesting in terms of APT activity, with a few remarkable campaigns that remind us how real some of the threats we have been predicting over the last few years have become. In particular, we have warned repeatedly that networking hardware is ideally suited to targeted attacks and highlighted the existence and spread of advanced activity focusing on these devices.” said Vicente Diaz, principal security researcher in the Kaspersky Lab GReAT team.
The Q2 APT Trends report summarizes
- er-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting.