Advanced Hacking Groups Keep Showing Up, Old Ones Evolve

Advancements in the threat landscape are clear from one year to another. Since last year, security researchers have seen new adversaries along with methods of compromise and more overt cyberattacks.

Singapore-based cybersecurity company Group-IB describes in a report released today the key changes in the spectrum of high-tech threats recorded since the second half of 2018 and the first half of 2019.

RedCurl, a new adversary

Attacks from a new group called RedCurl were detected in 2019 against insurance, consulting, mining, ironworks, retail, and construction companies for espionage and financial theft purposes.

Group-IB says that this threat actor is highly capable and difficult to detect. What allows RedCurl to fly under the radar is the use of legitimate services to communicate with its command and control (C2) servers.

The threat actor relies on a custom trojan for its malicious actions and focuses first on stealing important documentation from the victim and then installs XMRIG miners for Monero cryptocurrency on the infrastructure.

As for the data stolen from victims, RedCurl appears to be interested in agreements and information about payments and contracts.

A particular characteristic of this adversary is the high-quality of their phishing attacks. They are customizing the messages for each victim they target, which ensures a better success rate.

For the time being, it is unclear if RedCurl is a cybercriminal group or a state-sponsored one. However, Group-IB is trying to establish its affiliation by looking at the tools, techniques, and practices, BleepingComputer was told.

Most of the victims are in Eastern Europe, with one compromised company based in North America. Judging by the language used in the decoy documents and the service used to set up an email server, at least on member of the group is speaking Russian, Group-IB told us.

Money-driven attackers

Group-IB names five cybercriminal outfits actively engaged in attacks against financial institutions, three of them being Russian speakers (Cobalt, Silence, MoneyTaker) and the only ones working with trojans that control ATMs to dispense the cash at will.

The other two are Lazarus, and SilentCard, a new group from Kenya that targets banks in Africa and being successful at it, despite having less impressive technical skills than the other actors in the same business.

Although there are other actors threatening the financial sector, Group-IB's report considers these five to be able to cause serious damage.

These groups typically spend a lot of time on the compromised network learning the ropes so they can run financial operations as well as the employees they monitor.

A map of the attacks, both successful and failed, shows that they've been busy since the second half of 2018, trying their luck almost every month.

Details on SilentCard are scarce at the moment; but the researchers determined that the group operates locally and was involved in two successful heists.

With only a malware sample available, Group-IB assumes that SilentCard uses "a controlled device within the organization that allows them to attack the corporate network."

State-backed actors

Attackers working for a government, also known as APT groups, have also been busy, 38 groups being active through the period observed by Group-IB. Of these, seven were discovered this year to carry out cyberespionage operations.

Even if the new groups have only been discovered over the past year, they've been operating for far longer, some as early as 2011.

One of them is Windshift, whose tools and tactics were analyzed by DarkMatter in August 2018. However, it's been in the cyberespionage game since at least 2017 targeting employees of government agencies and critical infrastructure facilities
in the Middle East.

Blue Mushroom (a.k.a. Sapphire Mushroom and APT-C-12) has been running since 2011, yet it emerged on the radar only in mid-2018. Its targets are in the nuclear industry and scientific research, according to a report from Qihoo360.

Gallmaker is another APT group discovered in 2018 but operating since at least December 2017, Symantec found. It relies on living-off-the-land tools to run attacks against government and military targets.

Research published by Qiho360 at the beginning of the year disclosed the activity of APT-C-36 or Blind Eagle, a threat group from South America that engaged in stealing trade secrets from important companies and government agencies.

Whitefly targets mainly against entities in Singapore from the healthcare, media, telecommunications, and engineering sectors. Its activity was tracked to 2017, although it was the attack on Singapore's largest public health organization in July 2018 what put it on the map; 1.5 million patient records got stolen.

Hexane or Lyceum is interested in critical infrastructure organizations in the Middle East and was first disclosed to the public in August, although its activity had been under scrutiny long before that date. SecureWorks published technical details about its modus operandi.

The seventh APT group remains unidentified as little is known about it then the attack framework it uses. Called TajMahal, Kaspersky found that the kit contained about 80 modules and was used to compromise a diplomatic entity in Central Asia.

Cyberwar escalation

Cybersecurity has become a common topic for political leaders and a mainstay for military operations. Attacks described in public records show that they are slowly losing the coat of covertness.

Governments turning to digital tools to disrupt activities of adversaries is no longer a prediction but a real thing. Multiple energy plants have suffered from cyberattacks with no financial gain for the hackers.

Retaliating against enemies with cyberattacks have happened, the most prominent being the U.S. action over the summer against Iran's weapon's system for shooting down a U.S. surveillance drone and attacks on oil tankers.

Dmitry Volkov, Group-IB CTO and the Head of Threat Intelligence, says that 2018 showed how unprepared the cyberworld is for side-channel attacks and vulnerabilities related to microprocessors, while 2019 revealed covert military operations in cyberspace.