Monthly Threat Actor Group Intelligence Report, August 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21 to August 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA04 and SectorA07 were found among SectorA hacking groups this August. Two parallel requirements of SectorA hacking groups are collecting high-quality information related to South Korean political and diplomatic activities and to obtain illegal monetary benefit by targeting anywhere in the world.

SectorA01 group activity was found in South Korea, the Philippines, Argentina, Pakistan, United States and Nepal. SectorA02 group activity has been found in South Korea and the United States. SectorA4 group, which had not been found for a while, was found in South Korea, and malware was discovered using a digital signature issued by a Korean security company. Sector07 group activity was found in South Korea, Indonesia, United States, Russian Federation and Germany.

The activities of the four SectorA-related hacking groups discovered in August common use Spear Phishing as an attack vector. However, SectorA01 uses Hangul files (HWP) as attachments in South Korea, and only other SectorA02, SectorA04, and SectorA07 groups use Microsoft Word files containing macro function as an attachment to its Spear Phishing emails.

The SectorA02 group produces mobile malware designed to run on Android smartphones and uses it for hacking activities.

The SectorA groups aim to seize high-level information related to South Korea’s political, diplomatic and North Korean relief organizations. Due to large-scale economic sanctions surrounding SectorA, their hacking groups carry out hacking activities to steal financial information in other countries, including South Korea. These operations take place in parallel. and SectorA groups are expected to continue hacking with the purpose.

2. SectorB Activity Features

Among the SectorB groups, a total of five hacking groups, SectorB01, SectorB03, SectorB04, SectorB06 and SectorB07 group were found among SectorB hacking groups this August.

The hacking activity range of the SectorB01 group discovered so far has been the widest in the history of this hacking group. Their activity was found in Asia (including South Korea, Japan, Singapore, Vietnam, Malaysia, Hong Kong, Taiwan, Thailand, Myanmar, India), the Middle East (Turkey) and Africa (including South Africa), North America (including the United States and Canada) and Europe (including France, United Kingdom, Ireland, Germany, Switzerland, Netherlands, Italy, Czech republic, and Ukraine).

SectorB03 group activity was found in the United Arab Emirates, the United States, Japan and Taiwan.

SectorB04 group activity was found in Russian Federation, United States, United Kingdom, Turkey, Spain, South Korea, Malaysia and Taiwan.

The SectorB06 group has been found in the Russian Federation and Belarus.

SectorB07 group has been found in South Korea, Germany, United States and India.

Most of the SectorB hacking groups use Spear Phishing with document files as attachments to exploit vulnerabilities in Microsoft Office.

SectorB group’s hacking activities discovered in August are mostly concentrated in Asia, Europe and North America, and this is closely linked to its activities to obtain information about its country’s diplomatic and economic information related to an ongoing trade war with the United States.

3. SectorC Activity Features

Among the SectorC groups, the activities of three hacking groups, SectorC02, SecotorC03 and SectorC08 were found among SectorC hacking groups this August.

The hacking activity of SectorC02 group has been found in Brazil, Georgia.

The hacking activity of SectorC03 group has been found in United States and United Kingdom.

The hacking activity of SectorC08 group has been found in Ukraine, United Kingdom, Belarus, Sweden, Argentina, United States and China.

The SectorC groups used different attack vectors. SectorC02 group stole sensitive email information from internal Microsoft Exchange servers connected to the Internet while the SecotorC03 and SectorC08 groups used spear phishing emails with malware as their primary hacking technique, similar to their other hacking activities found in the past.

However, the SectorC08 group has the characteristic of using 7ZipSfx compressed files as attachments to specific hacking targets.

The SectorC groups have many more attack technique at their disposal than threat actors of other groups because of their long history. Recently, they have been working to achieve the political objectives of their government, and this is expected to continue.

4. SectorD Activity Features

Among the SectorD groups, the activities of two hacking groups, SectorD02, SecotorD14 were found among SectorD hacking groups this August.

The hacking activity of SectorD02 group was found in Tajikistan and Uzbekistan.

The hacking activity of SectorD14 group has been found in Canada, United States, United Arab Emirates and Kuwait. In particular, the SectorD14 group conducted hacking activities on Industrial Control Systems (ICS) owned by government agencies, and natural gas and oil companies related to countries located in the Middle East, which may be related to a recent drone attack.

The basic hacking techniques of the SectorD groups are similar to those in the past, using a Microsoft Word file with a malicious macro as an attachment to a spear phishing email.

At the moment, diplomatic measures involving the SectorD group’s government are under way in Western countries, mainly in the United States, and the aforementioned physical attacks on oil fields in Saudi Arabia may soon lead to cyber wars with physical conflicts between the Middle East and Western countries.

5. SectorE Activity Features

Among the SectorE groups, the activities of three hacking groups, SectorE01, SecotorE02 and SectorE04 were found among SectorE hacking groups this August.

The hacking activity of SectorE01 group was found in Poland, Germany and the United Kingdom.

The hacking activity of SectorE02 group was found in Pakistan, United Kingdom, United States, Ukraine, Netherlands and the Germany.

The hacking activity of SectorE04 was found in China.

SectorE hacking groups have mainly been conducting hacking activities targeting countries that are politically competitive with SectorE group’s government, but the range of geographical hacking activities of these groups is gradually widening.

The hacking groups discovered in August mainly used spear phishing, attaching document files that exploited known Microsoft Word vulnerabilities or containing malicious macro code.

The SectorE groups are expanding their range of activity, and their recent activities have been found frequently in East Asia. In addition, it is highly likely that they will continue to develop new hacking techniques by copying techniques of other hacking groups or through their own research process.

6. SectorF Activity Features

August hacking activity of the SectorF01 group has been found in Cambodia, China, South Korea, Japan, United States, Ireland, Russian Federation, and Australia. They used malware that is highly similar to the ones found in the past, and spear phishing emails with document files containing malicious macro code as attachments are sent to their targets.

In the past, there have been many cases where their hacking activity have been discovered in the Southeast Asia region, and recently, their hacking activities have been carried out for the purpose of economic development of their country. The hacking activity radius of this hacking group is expected to gradually increase and it is necessary to continue further analysis based on their hacking activity areas and targets.

7. Cyber Crime Activity Features

In August, a total of six hacking groups, SectorJ01, SectorJ04, SectorJ07, SectorJ10, SectorJ12 and SectorJ13, were found among the Cyber Crime Groups. Unlike other government-backed hacking groups, they collect information such as Credit Card information that can be monetized in the real world. They also hack organizations to spread ransomware on their internal network, or steal important industry secrets to sell them online.

The hacking activity of SectorJ01 group has been found in the Russian Federation, Romania, United Kingdom, Costa Rica and United States. The SectorJ01 Group is conducting hacking campaigns in Europe and North America this August. They collect various types of personal and corporate information that exists inside infected PCs from malware distributed through the spear phishing email.

The hacking activity of SectorJ04 group has been found in United Kingdom, United States, South Korea, Germany, Turkey, France, Bulgaria, Serbia, India, Canada, Argentina, Bangladesh and Hong Kong. They mainly hack into companies in various industries including transportation, universities, government agencies, manufacturing, semiconductors, online commercials, chemicals, and health. In the first half of 2019, they intensively hacked organizations in Asia, but their recent trend seems to be to move hacking activity back to Europe and North America.

The hacking activity of SectorJ07 group has been found in China, United States and Ukraine. They mainly produce malware that runs on Linux that can mine cryptocurrencies on high-performance servers utilized by companies.

The hacking activity of SectorJ10 group has been found in Philippines and United States. Attacks are carried out using spear phishing emails containing malware in the form of document files which have malicious macro code included inside. The macro calls to the Windows Management Instrumentation Command-line (WMIC), and the WMIC finally executes a malicious PowerShell script.

SectorJ12 group conducted hacking activities targeting energy, entertainment, consulting and manufacturing companies located in France, Taiwan and Poland. The spear phishing email have an ACE archive attached, and this ACE archive contains the Visual Basic Script (VBScript) for getting the malicious PowerShell script from the attacker’s server.

The hacking activity of SectorJ13 group has been found in South Korea, Ukraine and United Kingdom. They send spear phishing emails with document files containing malicious macro code attached. When executing the Word document, the macro script uses a technique to download additional malware from the attacker’s server by running PowerShell. SectorJ13 was previously only active in Europe, but its activity was recently found in Korea as well. This is a group that needs to be watched closely if it is targeting South Korea with similar intent and purpose as the SectorJ04 group.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Monthly Threat Actor Group Intelligence Report, June 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21 to June 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, SectorA05 were found among SectorA hacking groups this June. The SectorA group was mainly active in the Middle East, Southeast Asia, and East Asia in June, targeting countries such as Jordan, Philippines, South Korea, and Japan.

The SectorA01 group mainly sent spear phishing emails to the Middle East and Southeast Asia which had Microsoft Office document files attached to them. However, in June, another case was discovered where they attached executable type malware that was disguised as a job application form.

The SectorA02 and SectorA05 groups are active mainly for monetary profit but based on their hacking techniques and malware features, each groups are aimed at different targets. The SectorA02 group mainly targets financial companies or companies related to cryptocurrency trading, but the SectorA05 group targets individuals who hold cryptocurrency. In the past, the two groups used spear phishing emails which attached malicious HWP or executable files. Recently, they have also used spear phishing emails impersonating cryptocurrency exchanges or government agencies.

Recently, the SectorA groups have been acting in parallel to target both diplomatic information related to their government and gain monetary benefits. In the past, they mainly targeted financial companies and cryptocurrency exchanges in order to earn monetary benefits. but nowadays they extended their range of hacking targets to include individual holders of cryptocurrency. Attention is needed as their range of activities expand.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In June, a total of six hacking groups were found to be active in SectorB. Activities of each group were found in the following countries: SectorB01 group activity was discovered in Southeast Asia and Europe, mainly in the Philippines, Netherlands, and Ukraine. SectorB03 group activity was discovered in the Middle East, mainly in Saudi Arabia. SectorB04 group activity was discovered in East Asia, Middle East and Europe, mainly in Taiwan, Philippines, Turkey, and Austria. SectorB06 group activity was discovered in the Middle East, mainly in Turkey and Kazakhstan. SectorB09 group activity was discovered in East Asia and North America, mainly in Japan, Hong Kong, Taiwan and Canada. SectorB14 group activity was discovered in East Asia and North America, mainly in the South Korea and the United States.

They maintain their existing hacking techniques – using Spear Phishing emails with malicious Microsoft Office document files attached. Recently, they also attacked Microsoft SharePoint servers and MySQL servers that are connected to the Internet using new vulnerabilities and web shells. In addition, new malware targeting the Linux operating system has been found.

In the past, SectorB groups focused more heavily on North America, but recently attacks in the Middle East, Southeast Asia and East Asia have also increased. We believe this is related to their recent political and diplomatic situations and it is likely that the hacking activities in the Middle East, Southeast Asia, East Asia will continue for the time being.

3. SectorC Activity Features

A total of three hacking groups, SectorC02, SectorC08, SectorC11 were found among the SectorC groups in June. They were active mainly in Europe – Moldova, Ukraine and Germany – where they frequently have political friction with. They are constantly using spear phishing emails with malware, but there are gradual changes in the characteristics of the attached executable files. They continue to use open source programs such as the remote control programs, UltraVNC, and start to develop their malware with open source code. This is presumably done to bypass security solutions and analyst detection, and also interferes with intelligence analysis efforts to track attackers. SectorC groups are expected to continue hacking activities in countries which it has political and diplomatic conflicts with for the time being.

4. SectorD Activity Features

In June, a total of two hacking groups were found among SectorD groups. They targeted countries in the Middle East which they have a politically competitive relation with. Activities of each group were found in the following countries: SectorD02 group activity was discovered extensively in Middle Asia to Middle East, mainly in Hong Kong, Sweden, Tajikistan, United Arab Emirates, Saudi Arabia, Iraq, Jordan, France, United States and Mexico. SectorD11 group activity was discovered in Middle Asia to Middle East.

They are constantly using spear phishing emails attached to Microsoft Office document files. In particular, obfuscated macro scripts and PowerShell code are embedded in these document files to download additional malware. The SectorD11 group also develops and distributes malware that runs on Android smartphones for the purpose of monitoring civilian who are against SectorD government.

Currently, the SectorD hacking groups have increased the frequency of hacking activities against Western countries. This is mainly targeting the United States, which they have political and military disputes with, but also a pro-American nation in the Middle East. It is likely that the activities of SectorD hacking groups will be greatly dependent on how the US exerts its influence and military activities in the future.

5. SectorF Activity Features

The SectorF01 group was discovered performing hacking activities in Southeast Asia, Europe and North America, including Vietnam, United Kingdom and the United States. They have consistently used spear phishing emails with attached Microsoft Office document files, but recently attached compressed files containing obfuscated HTA script files as well. This bypasses the detection of security solutions using script-based malware and avoids making the target suspicious as it launches normal documents when running the HTA file.

Analysis of the recent hacking activity of SectorF01 shows they seem to have two purposes. The first is surveillance of organizations and individuals who are against their government. The second is the collection of high-tech info from advanced countries that are nurturing high-tech and industrial technologies, which assists their government’s economic development and upgrading purposes. Recently, the hacking activity of SectorF01 for the purpose of high-tech corporate espionage is increasing, and it is likely that their activities targeting high tech companies and countries will continue to increase in the future.

6. SectorH Activity Features

The SectorH01 group appears to be active as a contractor rather than belonging officially to a national security agency. Their hacking activities were found in Southeast Asia and South America, including India and Brazil. They mainly use spear phishing emails with Microsoft Office document files.

In this case, macro scripts within document files make use of PowerShell to download additional scripts from Pastebin (a text file storage site). This minimize the exposure of their next stage payload even if their initial malware is detected by a security solution, and can bypass the detection of security solution by using an external web site which is open to the Internet for distribution of their malware. SectorH01 group’s hacking activities were mainly carried out on their political competitor, India. However, recently their activities have been found in other regions, and we will continue monitoring them in order to further understand the purpose of the SectorH group.

7. Cyber Crime Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In June, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ01 group are mainly found in China, Germany, Slovenia, Sweden, Romania, Russia, US, Brazil, and Costa Rica. The SectorJ01 group uses Spear Phishing emails which have attached documents that utilize known code execution vulnerabilities in Microsoft Office. They also use Cobalt Strike, a common penetration testing tool.

SectorJ04 Group is one of the most active groups in recent years, and its activities have been found in a wide range of regions: Europe, Asia, North and South America, Africa. Specific countries include Switzerland, Russia, Macedonia, France, Ukraine, Italy, Germany, France, South Korea, Philippines, Taiwan, China, USA, Ecuador, and Senegal.

Similar to the past, they use spear phishing emails which have attached Microsoft Office document files with embedded macro scripts that will download malware. Sometimes they use HTML file attachments too. Recently, the SectorJ04 group hacked organizations such as universities, manufacturing companies, and construction companies, so their targets were not limited to just financial companies anymore. They have also extended their activities to industrial areas, where the security posture is typically relatively weaker compared to financial companies, so this is one way they are attempting to generate high profits through low effort. As SectorJ04 group’s hacking targets are diversified, it is likely that many cases of financial losses will occur in various countries across many industries.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.