Monthly Threat Actor Groups Intelligence Report, January 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from December 21, 2018 to January 20, 2019.


1. SectorA Activity Features

A total of three hacking groups were found to be active in SectorA. While their modus operandi had been constant for the past few months, some of it has changed this time.

SectorA01 is still concentrating on financial crime using malware in countries such as Africa, Southeast Asia, and South America for financial gain.

SectorA02 and SectorA05 groups are concentrating on hacking activities aimed at stealing information related to foreign policy of South Korea, and their malware continues to be found in government agencies within South Korea.

But little by little, these hacking groups supported by SectorA have been changing their malware and hacking techniques since 2018. For example, besides their using their usual spear phishing with Hangul Word Processor (HWP) files, they have also started to use phishing with malicious scripts instead as well.

From the hacking activities by SectorA to date, we believe they will continue their activities related to financial crime and espionage aimed at South Korean government agencies.


2. SectorB Activity Features

SectorB targets countries from various regions around the world, and a total of two hacking groups activity were found to be active. Targets were found in Central Asia including Kazakhstan and East Asia including South Korea.

Groups that were active continued to use spear phishing with Microsoft Word files containing Macros , and also included the use of code execution vulnerabilities in Microsoft Office software.

From the hacking activities by SectorB to date, we believe that their targets will continue to include European and Oceanian countries for the purpose of stealing high-tech information.


3. SectorC Activity Features

SectorC targets included countries in Eastern Europe including Ukraine, Poland, Macedonia, and North America including the United States. Three hacking groups were found to be active.

Although hacking groups supported by SectorC have the characteristics of having very fast technological and strategic changes, but their malware continues to have identifying characteristics of previous versions.

Their activities in Eastern Europe seem to be aimed at stealing information on military activities related to the North Atlantic Treaty Organization (NATO) and their activities in North America seem to be aimed at stealing information related to government activities.

Since SectorC is currently engaged in hacking activities in Eastern Europe and North America, it seems likely that their political and military related espionage will continue in those regions.


4. SectorD Activity Features

SectorD targets included Europe including Belarus, Ukraine, and Sweden, East Asia including South Korea, and the Middle East centering on Saudi Arabia, Turkey, and Oman. Two hacking groups were found to be active.

Outside of the Middle East, their purpose seem to be to steal diplomatic related information from countries with political and economic cooperation with other countries in the Middle East, such as Europe and East Asia. In particular, South Korea recently had diplomatic gains in which it agreed to cooperate in seven areas through summit talks with Qatar.

Hacking techniques used by SectorD continue to include spear phishing with Microsoft Word files which contains malicious macro functions.

Based on their hacking activities so far, it seems that SectorD is starting to expand its scope to include hacking countries with political and economic cooperating with Middle Eastern countries, rather than solely targeting countries in the Middle East.


5. SectorE Activity Features

SectorE targets included Pakistan like before, but this time included East Asia including China, Hong Kong, and South Korea. Two hacking groups were found to be active.

We believe that the wider range of hacking activities by SectorE groups are aimed at stealing information on economic and policy activities of the respective governments in East Asia. China is in the process of implementing “One Belt, One Road” in Southeast Asia, and South Korea and Russia are countries known to be exporting military arms to SectorE.

Hacking techniques used by SectorE continue to include spear phishing with Microsoft Word files which exploit known code execution vulnerabilities.

Based on their hacking activities so far, it seems that SectorE is targeting countries for the purpose of stealing information related to economic and foreign policy, and targeting Pakistan for politically motivated purposes.


6. SectorF Activity Features

SectorF targets were in Southeast Asia including Vietnam. Similar to November and December 2018, their purpose seems to be stealing information related to political activities from special-purpose personnel operating inside the countries of Southeast Asia.

The hacking techniques used by SectorF groups are using Spear Phishing with links to download malicious Microsoft Word files. Depending on the target, they choose to use code execution vulnerabilities or embed malicious macros in the Microsoft Word file.

From their hacking activities in the last three months, it seems that SectorF will continue to target special-purpose personnel in Vietnam and they will continue using other kinds of hacking techniques such as Watering Hole attacks as well.


7. SectorH Activity Features

SectorH seems to have a contractual relationship for a particular purpose rather than serving as a government organization of a particular country. Their recent hacking activities are extensive, ranging from Northern European countries including Lithuania to East Asian countries including China and South Korea.

However, it seems that the group is more focused on Cyber Crime activities to steal financial information based on their hacking techniques and malware, and only carries out hacking activities for stealing information related to political, economic and diplomatic government activity on an ad hoc basis.

Based on their hacking activities so far which has very different purposes and interests depending on the target, we will need to continue observing their hacking activity in order to have enough confidence to judge their primary purpose.


The full report detailing each event together with IOCs and recommendations is available to existing NSHC ThreatRecon customers.

Monthly Threat Actor Groups Intelligence Report, December 2018

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the Threat Recon Team, based on data and information collected from November 21 to December 20, 2018.


1. SectorA Activity Features

A total of four hacking groups were found to be active within SectorA.

Among this detected activity, SectorA05 activity was relatively more intense than others and all SectorA05 activity was highly related to political hacking aimed at South Korea.

There are two main purposes of hacking by SectorA for the month, which can be distinguished by activity aimed at Korea and activity aimed at other countries.

The first is hacking activity targeting financial institutions overseas, and virtual currency exchanges and individual traders in South Korea. This is used to overcome financial and economic sanctions that are currently ongoing against SectorA. The second is hacking activity related to the more traditional espionage aimed at stealing information related to South Korea’s political and diplomatic activities.

Although malware and hacking techniques used by SectorA differ depending on the target, SectorA consistently targets individuals who belong to target organizations by utilizing Spear Phishing with malicious documents attached.

One of their strategies, using Cloud services as their C2 server for hacking activities, is used against both overseas and South Korean targets.

Another strategy, utilizing malware in the form of document reader files, differs depending on the target – overseas targets receive traditional Microsoft Office files, while South Korean targets will receive Hangeul Word Processor (HWP) files regardless of whether they live in South Korea or overseas.


2. SectorB Activity Features

SectorB targets countries from various regions around the world, and a total of four hacking groups activity were found to be active.

Targets were found in the Oceania region including Australia, the European region including the United Kingdom, and the East Asian region including South Korea.

Among this detected activity, some malware that had been used in the past was modified, or malware produced based on open source code was used for hacking activities.

Like before, hacking activity targeted at South Korea utilized Spear Phishing, which included Microsoft Word files containing Macros, and our analysis of the malware used shows that this campaign started in early 2018. In addition, SectorB targets started to include South Korean financial companies.


3. SectorC Activity Features

A total of three hacking groups activity were found to be active within SectorC.

Among this detected activity, SectorC01 activity was relatively more intense than others and SectorC activity was found to be aimed at South Europe including Spain, East Asia including Japan, and Eastern Europe including Ukraine and Poland.

Although hacking activities by SectorC groups around the world were conducted mainly to obtain information related to government agencies, they seem to be targeting Eastern Europe for other purposes based on the characteristics of their malware. SectorC still uses Spear Phishing with code execution vulnerabilities in Microsoft Word files or Microsoft Word files with macros for the initial infection in order to drop variants of their usual malware, although this time they have also included variants written in a different programming language. In addition, SectorC sometimes used only script and normal utility files for attacks on Eastern Europe.


4. SectorD Activity Features

A total of four hacking groups were found to be active within SectorD, and targets were concentrated in Middle Eastern countries, including Lebanon, Oman, Jordan, Saudi Arabia, Turkey, Iraq and Israel.

In addition to the use of Phishing websites, there were also cases where Spear Phishing was used with malware in the form of Microsoft Word files containing macros.

Although SectorD groups mainly utilize script-based malware, there were cases of hacking activities targeted at energy companies in Italy with ties to the Middle East which had reused the Wiper malware which was used in the past to disrupt normal system operations.


5. SectorE Activity Features

A total of three hacking groups activity were found to be active within SectorE, and targets were along the Central Asia region, which includes Pakistan, a political rival of SectorE, as well as Chinese companies.

The hacking activities of the SectorE took advantage of vulnerabilities in Microsoft Office, or Spear Phishing involving file-based malware that exploited vulnerabilities in InPage software, along with malware in the form of Word or Excel files containing macros.

In addition, the execution of malware is structured so that the download function is executed in the first step, and the next steps only work if the first one succeeded, reducing exposure to the outside as much as possible. However, as their malware, C2 IPs and C2 Domains were found to have some overlapping characteristics, it can be seen that SectorE groups share various hacking and malware production techniques.


6. SectorF Activity Features

SectorF activities were discovered targeting East Asia, including China and Japan.

They primarily utilizing Spear Phishing, attaching Microsoft Word files containing macros to emails.

While some of the code used in their malware was found to have been produced based on open source code used for penetration testing, others were found to be variants of their custom malware.


The full report detailing each event together with IOCs and recommendations is available to existing NSHC Threat Recon customers.

Introducing Our Research Blog

These days, our lives are all connected to the internet and we all use it for many purposes. Most of us use this for positive purposes, but some have malicious intent.

The Threat Recon Team is the Cyber Threat Intelligence division of NSHC RedAlert Labs, and we track and define the Tactics, Techniques and Procedures of Threat Actor Groups who perform such malicious activity. This research allows us to understand how organizations can protect themselves against such groups.

Starting this year, our team’s researchers will publish our analysis here to share knowledge with other individuals and information security research teams to make a better and safer digital world.

We hope you enjoy our research.