Monthly Threat Actor Group Intelligence Report, September 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from August 21 to September 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, and SectorA07, were found among SectorA hacking groups this September.

The parallel requirements of the hacking activities of SectorA hacking groups, which continues to date, is to both collect high-quality information related to government activities such as political and diplomatic activities related to South Korea or related to SectorA relief organizations, and to illegally profit from crimes around the world. The purpose of this hacking has been continued for a long time, and for this strategic hacking purpose, it is expected to continue without change for the time being.

The hacking activities of the SectorA01, SectorA05 and SectorA07 groups discovered in September were related to collecting high-level information such as political and diplomatic activities related to South Korea.

SectorA01 group activity was found in South Korea, Germany, the United States, China, and Austria, and used malware in the form of files of Hangul software files, which is widely used by South Korean government agencies.

SectorA05 group activity was found in United States, South Korea, Peru, Belgium, France, China, Japan, the United Kingdom, Slovakia, Russia and Poland. The hacking technique used by the group was spear phishing emails to deliver malware in the form of Microsoft Word files to the target of attack. The lure document had a topic related to SectorA’s economic sanctions, nuclear development, and submarines.

SectorA07 group activity was found in South Korea, Italy, Vietnam, Japan, and Brazil. During that time, the attacker used a Windows executable file with a file name associated with a MOU contract with the Department of Defense. The file was disguised using the icon of Microsoft Word.

2. SectorB Activity Features

A total of eight hacking groups, SectorB01, SectorB03, SectorB09, SectorB11, SectorB14, SectorB19, SectorB20, and SectorB21, were found among SectorB hacking groups this September.

The hacking activities of the SectorB groups discovered to date have been found in Southeast Asia (including Thailand, Singapore, Indonesia, Philippines, Vietnam, Malaysia and India), the Middle East (including Turkey), East Asia (including Taiwan, Macau, Hong Kong, Japan and South Korea), North America (including the United States), and Europe (including the United Kingdom and Russia). In addition, hacking activity was discovered in the Uyghur region, which we believe was targeted for political purposes.

The SectorB hacking groups use spear phishing, which uses document files that exploit N-day vulnerabilities in Microsoft Office as attachments. This method of intrusion is common for them when targeting developing countries such as Southeast Asia.

In addition, the SectorB21 group performed hacking activities using Android malware to steal high-level information from smartphones of specific people in the Uyghur region.

Since the hacking activities of the SectorB group discovered in September are mostly concentrated in Southeast Asia, it appears to be closely related to the political and diplomatic activities of the SectorB government. Thus, the hacking activity of SectorB group is expected to continue especially in Southeast Asia and Europe.

3. SectorC Activity Features

A total of two hacking groups, SectorC01 and SectorC08, were found among SectorC hacking groups this September.

SectorC01 group activity was found in Europe and North America (including Ukraine, Canada, Belgium and the United Kingdom), while SectorC08 group activity was found in Ukraine, China, the United States, South Korea and Brazil. The SectorC08 group used to hack only in Europe in the past, but this is the first time that hacking activity has been found in East Asia (including China and South Korea), and additional analysis of their purpose is required. Although the SectorC groups, where hacking activity was found, use different hacking techniques, their spear phishing emails display common characteristics.

The SectorC01 group attaches Microsoft Word document malware to spear phishing emails and uses remote template injection techniques to deliver malware in Microsoft Word files containing macro scripts to their targets.

Similar to past hacking cases, the SectorC08 group maintains their traditional hacking approach using spear phishing emails with 7ZipSPX compressed files attached. However, we also confirmed that their hacking activity uses the remote template injection method, and the text content of the lure document used for the template injection was related to a specific conference.

The SectorC groups have many varied attack techniques because of their long history, and they are likely to continue a similar form of hacking in the future, as they continue to do so in line with the political objectives of the SectorC government.

4. SectorD Activity Features

A total of six hacking groups, SectorD01, SectorD02, SectorD05, SectorD10, SectorD14, and SectorD15 were found among SectorD hacking groups this September.

SectorD hacking groups targeted countries which are political rivals with the SectorD government. Their hacking activity discovered in September targeted countries located in the Middle East (including Morocco, Kuwait and the United Arab Emirates), and other hacking targets were the United States, the United Kingdom, Canada, India, the Netherlands, the Philippines, Azerbaijan, Kenya, China, Australia, Hong Kong and Switzerland.

The basic hacking techniques of the SectorD groups are similar to the previous cases – sending a Microsoft Word file with a malicious macro to the hacking target using an attachment in a spear phishing email. In addition to these hacking techniques, the SectorD05 group has launched attacks against researchers from the United States, Middle East, and France, focusing on academic research on SectorD, or performing phishing attacks against people targeting SectorD dissidents in the United States.

The SectorD10 group also uses links in phishing emails to direct targets to spoofing sites that are disguised as user login pages, and perform hacking activities to steal user credentials entered by targeted individuals.

The SectorD15 group conducted hacking activity aimed at gathering information on IT suppliers located in Saudi Arabia, which is likely to lead to a supply chain attack.

At the moment, diplomatic measures involving the SectorD government are underway in Western countries, mainly the United States. Such diplomatic activities could eventually lead to physical conflicts between countries, and it may be that these hacking activities are being used in cyberspace as preliminary reconnaissance.

5. SectorE Activity Features

A total of three hacking groups, SectorE02, SectorE03, and SectorE05 were found among SectorE hacking groups this September. The activities of the SectorE hacking groups were discovered in September in Europe (including Belgium, Portugal, United Kingdom, France and the Russia), Southeast Asia (including Singapore, Sri Lanka, Philippines, Thailand), East Asia (including Taiwan and China), North America (including United States and Canada), and Central Asia (including Pakistan and Turkmenistan).

SectorE hacking groups mainly conducted hacking activities targeting countries that are politically competitive with the SectorE government, but recently the range of geographical hacking activities of these groups is gradually widening.

The basic hacking techniques of the SectorE groups use attached documents in spear phishing emails, which could be a Microsoft Office document with a malicious macro functionality or previously known code execution vulnerabilities, or files from InPage software that are only frequently used in certain regions. They hosted malware in the form of Microsoft Word document that contain macro scripts on a specific domain. The document performs a remote template injection which would query the server to download the additional macro template from the attacker’s domain.

As the SectorE Group geographical radius of activity appears to be widening, they will likely continue to evolve and develop new hacking techniques. In past cases, whenever the geographic radius of hacking groups’ targets expanded, so did their hacking skills.

6. SectorF Activity Features

Hacking activity of the SectorF01 group was discovered this September, and the hacking activity was found in Asia (including Vietnam, China, Cambodia and Japan), and in Europe (including the United Kingdom and Germany).

The hacking activity found in September included a malware that has a similarity to a previously found malware, and is a RAR compressed file consisting of an executable file disguised as an Microsoft Word icon and a malicious DLL file, similar to the existing hacking technique. The SectorF01 group uses the DLL side loading technique to carry out the attack. When the executable file disguised as Microsoft Word program is executed, the DLL in the folder is loaded and executed.

As there have been many cases where their hacking activity has been discovered in regions including SectorF in the past, it is possible to consider hacking activities aimed at people who are opposed to political activities of the SectorF government. However, as hacking activities are also being conducted for the purpose of economic development in SectorF, additional analysis needs to be done while tracking their hacking activity areas and hacking targets.

6. SectorH Activity Features

Hacking activity of the SectorH01 group was discovered this September, but this is relatively infrequent unlike other government supported hacking groups.

SectorH01’s hacking activity was discovered in September, and their hacking activity was found in India, Kenya, Georgia, China, South Korea, Hong Kong, New Zealand and Canada. The SectorH01 group distributes malware in Microsoft Excel file formats containing macro scripts through spear phishing emails. The macro script executes JavaScript code hosted in Pastebin, which uses PowerShell to transfer the injector and DLL-type files to be injected into the infected system and then executes autorun registration for persistence.

The SecotorH01 group’s increased and broadening hacking activity highlight the dynamics of competition between SectorE and SectorH. It is important to pay close attention to the future competition between the two countries as to whether this increased hacking activity will affect the international situation in the future.

7. Cyber Crime Activity Features

Hacking activity of the SectorJ01, SectorJ02, SectorJ04, SectorJ05, and SectorJ09 group was discovered this September.

Unlike most other government-sponsored hacking groups, SectorJ groups seize information of financial value to make money in the real world, directly hack specific companies and organizations and run ransomware on their internal networks, or seize important industrial secrets in order to intimidate and extort victims.

SectorJ01 group activity was found in the United States, Russia, France, Bulgaria, China, United Kingdom, Poland, Germany, India, and Romania. The group used executables disguised as installers for Chrome or Firefox browsers, and used the NSIS (Nullsoft Scriptable Install System) to combine malware and normal browser installation files into one executable format.

SectorJ02 group activity was found in the United Kingdom and United States. They sent a spear phishing email to the target containing a link to download a JavaScript backdoor. When the malware is installed, it resides in memory and when the victim accesses an online payment page, skimming code would be injected into the HTML Document Object Model and collects payment information that the user types in.

SectorJ04 group activity was found in a wide range of locations – Europe (including Italy, Poland, Denmark, United Kingdom, Slovenia, Greece), East Asia (including South Korea, Japan), Middle East (including United Arab Emirates), Argentina, Philippines, Canada, India, Malaysia and the United States.

The group has been using spam emails with Office-themed Microsoft Excel or Word documents attached in the past for a while, installing malware on the infected system which transmits the information collected from the infected system to a specific server.

SectorJ05 group activity was found in the United Kingdom, Hong Kong, China, Germany, India, Netherlands, Sri Lanka, Belarus, the United States, and Russia. They primarily used malicious documents containing macro scripts, CHM files, or malicious attachment in the form of LNK shortcut files.

SectorJ09 group activitywas found in Italy. They launched an attack on e-commerce service providers, injecting JavaScript into the payment page of the hotel’s website using a particular e-commerce service to load the remote script. Only when accessing the page from a mobile device, a skimmer script is loaded to steal credit card information.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact