Monthly Threat Actor Group Intelligence Report, April 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from March 21 to April 20, 2019.


1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA06 were found among SectorA hacking groups this April.

The scope of activity for SectorA groups found in April is much larger than in the past. Previously, their targets were mainly in East Asia and North America, but now includes many more targets around the world. Traces of hacking activities have been found in the Middle East, including Israel, Turkey and Palestine, East Asia including China and South Korea, Eastern Europe including Ukraine and Slovenia, Southeast Asia including Sri Lanka and Vietnam, and North America including the United States.

The techniques used in their hacking activities found were basically using Spear Phishing techniques with a Hangul Word Process (HWP) file or Microsoft Word file depending on the target person or organization. We also observed them using the recently discovered WinRAR vulnerability. In addition, a case of Watering Hole attack was found.

For targets in East Asia, including South Korea, their aim was stealing information related to politics and diplomacy, as well as at stealing financial information represented by virtual currencies. Elsewhere, they were concerned with military information related to military weapons and stealing diplomatic information from countries engaged in diplomatic activities related to SectorA.

The scope of the hacking activities is expected to continue to expand in the future, as the hacking activities of SectorA hacking groups are being carried out for stealing military, diplomatic, political and financial information purposes.


2. SectorB Activity Features

A total of three hacking groups, SectorB01, SectorB06, and SectorB10 were found among SectorB hacking groups this April.

SectorB hacking groups hacking activities have been found in Europe including Russia, Portugal, Germany and France, and in Asia including Mongolia, Singapore, Japan, Taiwan, Vietnam and South Korea.

SectorB hacking groups had hacked the internal network of hardware and software manufacturers in East Asia, using Microsoft’s RTF file malware as an Spear Phishing attachment, including vulnerabilities that were frequently used in the past.

These Supply Chain Attacks were linked to cases involving malware in an online game update file developed by an online gaming company in East Asia in March.

They are likely to have done so because the difficulty of directly hacking their target organizations or staff was high enough to warrant other attack routes such as using Supply Chain Attacks to gain access to their targets instead.


3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC02, and SectorC10 were found among SectorC hacking groups this April, with hacking activity targeted at countries in Europe and North America, including Britain, the United States, and Germany.

This April, SectorC hacking groups aimed at stealing information on political and diplomatic activities in European countries. They basically used Spear Phishing techniques with malware and tried to target the presidential elections in certain Eastern European countries.

In addition, SectorC10 hacking activity targeting ICS/SCADA environments has been discovered, and this group has various capabilities and tools, such as WebShells, Backdoors, and performing Credential Harvesting and Remote Command Execution.


4. SectorD Activity Features

A total of four hacking groups, SectorD01, SectorD02, SectorD05 and SectorD12 were found among SectorD hacking groups this April, with hacking activity targeted at countries in the Middle East, including the Sector’s political competitor Saudi Arabia, the United Arab Emirates, Jordan, Iraq and Turkey, and Ukraine, Estonia, Germany, and the United States, as well as South and East Asia.

SectorD hacking groups are basically using Spear Phishing techniques with malware and example phishing documents were word files using confidential U.S. State Department forms. At the same time, malware in the form of compressed files that abused the recently discovered WinRAR’s vulnerability were also found. SectorD hacking groups mainly collected political, military and diplomatic information from countries in the Middle East that are its political competitors.

However, with the recent declaration of noncompliance with some treaties of a Nuclear Agreement it is part of, hacking aimed at collecting information on government activities are expected to intensify as conflicts are expected with other countries in many areas, including politics and diplomacy.


5. SectorE Activity Features

A total of two hacking groups, SectorE02, and SectorE05 were found among SectorE hacking groups this April, with hacking activity targeted at countries including Pakistan, Bangladesh, Sri Lanka, Myanmar and Nepal.

SectorE hacking groups typically use Spear Phishing as a major hacking technique to attach web page links or Microsoft Excel documents containing VBA macro scripts to emails that mimic legitimate entities such as foreign governments, telecommunications and defense industries, or utilize malicious Microsoft Word files that exploit known code execution vulnerabilities.

The recent spate of military and physical clashes in Pakistan is feared to spread to cyberwarfare. Against this backdrop, the number of hacking activities in neighboring countries is increasing as countries seek to collect information on diplomatic activities related to Central and Southeast Asian countries.


6. SectorF Activity Features

One hacking group, SectorF01, was found among SectorF hacking groups this April, with hacking activity targeted at countries in Southeast Asia including Vietnam, Cambodia, and East Asia including Japan, China, and South Korea.

The SectorF01 Group has previously conducted hacking activities on Southeast Asian countries for its political and military interests, but these days it seems like they are also interested in hacking for economic interests.

Some of these changes in hacking purposes as mentioned earlier have also led to widespread hacking in Southeast Asia and East Asia.

The hacking techniques used by the SectorF01 Group range from watering hole attacks using scripted malicious code that exploits vulnerabilities to Spear phishing hacking techniques where malicious codes exist as attachments.

In addition, they have been using various hacking techniques, scenarios, and strategies to make malware that operates on Mac operating systems in addition to malware that operates on Windows operating systems.


7. Cyber Crime Groups Activity Features

A total of three groups, SectorJ02, SectorJ03 and SectorJ04, were found to be responsible for cybercriminal purposes this April.

The targeted areas where these hacking groups operate for cybercrime have been found in the Middle East including Palestine, the United Arab Emirates and Saudi Arabia, in the Netherlands, Luxembourg, Europe including Sweden, Macedonia, Russia and Italy, in North and South America, South Korea, Japan, Singapore, as well as in Asia and the United States and Mexico.

Those who hack for financial purposes are also found in a wide range of countries, and they have different purposes from those who are supported by a particular country. However, as of December 2018, SectorsJ03 and SectorJ04 groups have moved their hacking activities to countries in Asia.

For the purpose of cyber crime, hacking groups generally use Spear Phishing as their major hacking technique, and the attached malware mainly include macros written to perform malicious functions. In addition, they also attempt to use Windows-based malicious scripts such as PowerShell, VBScript, and BAT.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers.

Monthly Threat Actor Groups Intelligence Report, January 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from December 21, 2018 to January 20, 2019.


1. SectorA Activity Features

A total of three hacking groups were found to be active in SectorA. While their modus operandi had been constant for the past few months, some of it has changed this time.

SectorA01 is still concentrating on financial crime using malware in countries such as Africa, Southeast Asia, and South America for financial gain.

SectorA02 and SectorA05 groups are concentrating on hacking activities aimed at stealing information related to foreign policy of South Korea, and their malware continues to be found in government agencies within South Korea.

But little by little, these hacking groups supported by SectorA have been changing their malware and hacking techniques since 2018. For example, besides their using their usual spear phishing with Hangul Word Processor (HWP) files, they have also started to use phishing with malicious scripts instead as well.

From the hacking activities by SectorA to date, we believe they will continue their activities related to financial crime and espionage aimed at South Korean government agencies.


2. SectorB Activity Features

SectorB targets countries from various regions around the world, and a total of two hacking groups activity were found to be active. Targets were found in Central Asia including Kazakhstan and East Asia including South Korea.

Groups that were active continued to use spear phishing with Microsoft Word files containing Macros , and also included the use of code execution vulnerabilities in Microsoft Office software.

From the hacking activities by SectorB to date, we believe that their targets will continue to include European and Oceanian countries for the purpose of stealing high-tech information.


3. SectorC Activity Features

SectorC targets included countries in Eastern Europe including Ukraine, Poland, Macedonia, and North America including the United States. Three hacking groups were found to be active.

Although hacking groups supported by SectorC have the characteristics of having very fast technological and strategic changes, but their malware continues to have identifying characteristics of previous versions.

Their activities in Eastern Europe seem to be aimed at stealing information on military activities related to the North Atlantic Treaty Organization (NATO) and their activities in North America seem to be aimed at stealing information related to government activities.

Since SectorC is currently engaged in hacking activities in Eastern Europe and North America, it seems likely that their political and military related espionage will continue in those regions.


4. SectorD Activity Features

SectorD targets included Europe including Belarus, Ukraine, and Sweden, East Asia including South Korea, and the Middle East centering on Saudi Arabia, Turkey, and Oman. Two hacking groups were found to be active.

Outside of the Middle East, their purpose seem to be to steal diplomatic related information from countries with political and economic cooperation with other countries in the Middle East, such as Europe and East Asia. In particular, South Korea recently had diplomatic gains in which it agreed to cooperate in seven areas through summit talks with Qatar.

Hacking techniques used by SectorD continue to include spear phishing with Microsoft Word files which contains malicious macro functions.

Based on their hacking activities so far, it seems that SectorD is starting to expand its scope to include hacking countries with political and economic cooperating with Middle Eastern countries, rather than solely targeting countries in the Middle East.


5. SectorE Activity Features

SectorE targets included Pakistan like before, but this time included East Asia including China, Hong Kong, and South Korea. Two hacking groups were found to be active.

We believe that the wider range of hacking activities by SectorE groups are aimed at stealing information on economic and policy activities of the respective governments in East Asia. China is in the process of implementing “One Belt, One Road” in Southeast Asia, and South Korea and Russia are countries known to be exporting military arms to SectorE.

Hacking techniques used by SectorE continue to include spear phishing with Microsoft Word files which exploit known code execution vulnerabilities.

Based on their hacking activities so far, it seems that SectorE is targeting countries for the purpose of stealing information related to economic and foreign policy, and targeting Pakistan for politically motivated purposes.


6. SectorF Activity Features

SectorF targets were in Southeast Asia including Vietnam. Similar to November and December 2018, their purpose seems to be stealing information related to political activities from special-purpose personnel operating inside the countries of Southeast Asia.

The hacking techniques used by SectorF groups are using Spear Phishing with links to download malicious Microsoft Word files. Depending on the target, they choose to use code execution vulnerabilities or embed malicious macros in the Microsoft Word file.

From their hacking activities in the last three months, it seems that SectorF will continue to target special-purpose personnel in Vietnam and they will continue using other kinds of hacking techniques such as Watering Hole attacks as well.


7. SectorH Activity Features

SectorH seems to have a contractual relationship for a particular purpose rather than serving as a government organization of a particular country. Their recent hacking activities are extensive, ranging from Northern European countries including Lithuania to East Asian countries including China and South Korea.

However, it seems that the group is more focused on Cyber Crime activities to steal financial information based on their hacking techniques and malware, and only carries out hacking activities for stealing information related to political, economic and diplomatic government activity on an ad hoc basis.

Based on their hacking activities so far which has very different purposes and interests depending on the target, we will need to continue observing their hacking activity in order to have enough confidence to judge their primary purpose.


The full report detailing each event together with IOCs and recommendations is available to existing NSHC ThreatRecon customers.

Monthly Threat Actor Groups Intelligence Report, December 2018

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the Threat Recon Team, based on data and information collected from November 21 to December 20, 2018.


1. SectorA Activity Features

A total of four hacking groups were found to be active within SectorA.

Among this detected activity, SectorA05 activity was relatively more intense than others and all SectorA05 activity was highly related to political hacking aimed at South Korea.

There are two main purposes of hacking by SectorA for the month, which can be distinguished by activity aimed at Korea and activity aimed at other countries.

The first is hacking activity targeting financial institutions overseas, and virtual currency exchanges and individual traders in South Korea. This is used to overcome financial and economic sanctions that are currently ongoing against SectorA. The second is hacking activity related to the more traditional espionage aimed at stealing information related to South Korea’s political and diplomatic activities.

Although malware and hacking techniques used by SectorA differ depending on the target, SectorA consistently targets individuals who belong to target organizations by utilizing Spear Phishing with malicious documents attached.

One of their strategies, using Cloud services as their C2 server for hacking activities, is used against both overseas and South Korean targets.

Another strategy, utilizing malware in the form of document reader files, differs depending on the target – overseas targets receive traditional Microsoft Office files, while South Korean targets will receive Hangeul Word Processor (HWP) files regardless of whether they live in South Korea or overseas.


2. SectorB Activity Features

SectorB targets countries from various regions around the world, and a total of four hacking groups activity were found to be active.

Targets were found in the Oceania region including Australia, the European region including the United Kingdom, and the East Asian region including South Korea.

Among this detected activity, some malware that had been used in the past was modified, or malware produced based on open source code was used for hacking activities.

Like before, hacking activity targeted at South Korea utilized Spear Phishing, which included Microsoft Word files containing Macros, and our analysis of the malware used shows that this campaign started in early 2018. In addition, SectorB targets started to include South Korean financial companies.


3. SectorC Activity Features

A total of three hacking groups activity were found to be active within SectorC.

Among this detected activity, SectorC01 activity was relatively more intense than others and SectorC activity was found to be aimed at South Europe including Spain, East Asia including Japan, and Eastern Europe including Ukraine and Poland.

Although hacking activities by SectorC groups around the world were conducted mainly to obtain information related to government agencies, they seem to be targeting Eastern Europe for other purposes based on the characteristics of their malware. SectorC still uses Spear Phishing with code execution vulnerabilities in Microsoft Word files or Microsoft Word files with macros for the initial infection in order to drop variants of their usual malware, although this time they have also included variants written in a different programming language. In addition, SectorC sometimes used only script and normal utility files for attacks on Eastern Europe.


4. SectorD Activity Features

A total of four hacking groups were found to be active within SectorD, and targets were concentrated in Middle Eastern countries, including Lebanon, Oman, Jordan, Saudi Arabia, Turkey, Iraq and Israel.

In addition to the use of Phishing websites, there were also cases where Spear Phishing was used with malware in the form of Microsoft Word files containing macros.

Although SectorD groups mainly utilize script-based malware, there were cases of hacking activities targeted at energy companies in Italy with ties to the Middle East which had reused the Wiper malware which was used in the past to disrupt normal system operations.


5. SectorE Activity Features

A total of three hacking groups activity were found to be active within SectorE, and targets were along the Central Asia region, which includes Pakistan, a political rival of SectorE, as well as Chinese companies.

The hacking activities of the SectorE took advantage of vulnerabilities in Microsoft Office, or Spear Phishing involving file-based malware that exploited vulnerabilities in InPage software, along with malware in the form of Word or Excel files containing macros.

In addition, the execution of malware is structured so that the download function is executed in the first step, and the next steps only work if the first one succeeded, reducing exposure to the outside as much as possible. However, as their malware, C2 IPs and C2 Domains were found to have some overlapping characteristics, it can be seen that SectorE groups share various hacking and malware production techniques.


6. SectorF Activity Features

SectorF activities were discovered targeting East Asia, including China and Japan.

They primarily utilizing Spear Phishing, attaching Microsoft Word files containing macros to emails.

While some of the code used in their malware was found to have been produced based on open source code used for penetration testing, others were found to be variants of their custom malware.


The full report detailing each event together with IOCs and recommendations is available to existing NSHC Threat Recon customers.