Earth Krahang targets government entities around the world. An analysis of the Smoke Loader malware.

Summary

By the CyberWire staff

At a glance.

Earth Krahang targets government entities around the world.
Former telecommunications company manager pleads guilty to SIM swapping.
An analysis of the Smoke Loader malware.

Earth Krahang targets government entities around the world.

Researchers at Trend Micro are tracking a cyberespionage campaign by a China-nexus threat actor they've dubbed "Earth Krahang." The campaign has breached seventy government organizations in twenty-three different countries, with a strong focus on Southeast Asia. In total, the group has targeted one-hundred-sixteen government entities across forty-five countries. Trend Micro states, "[I]n the case of one country, we found that the threat actor compromised a diverse range of organizations belonging to 11 different government ministries. We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others."

The group has a lesser focus on the education sector and the telecommunications industry.

The researchers believe Earth Krahang may be tied to Chinese government contractor I-Soon, which recently sustained a major data breach that exposed its operations. Trend Micro previously linked the company to a separate China-nexus threat actor dubbed "Earth Lusca." The researchers note, "Using this leaked information, we found that the company organized their penetration team into two different subgroups. This could be the possible reason why we saw two independent clusters of activities active in the wild but with limited association. Earth Krahang could be another penetration team under the same company."

Create your own luck. 25% off top cert prep.

Boost confidence without relying on luck! N2K's practice tests offer a comprehensive toolkit for ultimate success, including a vast question Qbank for custom quizzes, final exam simulations, performance tracking, and more in our robust LMS. Visit n2k.com/certify, use code NETWORK, and save 25% on our top practice tests. Don't miss out - offer ends 3/27.

RSA Conference™ 2024—Where the Cybersecurity Community Unites

Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.

Former telecommunications company manager pleads guilty to SIM swapping.

A former manager of a telecommunications company in New Jersey has pleaded guilty to carrying out SIM-swapping attacks, the Trentonian reports. The US Attorney's Office for the District of New Jersey said in a press release, "In May 2021, [Jonathan Katz] was employed as a manager at a telecommunications store and accessed several customer accounts by using managerial credentials. Katz swapped the SIM numbers associated with the customers’ phone numbers into mobile devices controlled by another individual, enabling this other individual to control the customers’ phones and access the customers’ electronic accounts – including email, social media, and cryptocurrency accounts. In exchange for the swaps, Katz was paid in Bitcoin, which was traced back to Katz’s cryptocurrency account."

An analysis of the Smoke Loader malware.

Palo Alto Networks's Unit 42 has published a joint research report with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP), focusing on Smoke Loader malware activity targeting Ukrainian entities. The report notes, "Primarily a loader with added information-stealing capabilities, Smoke Loader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums. Ukrainian officials have highlighted a surge in Smoke Loader attacks targeting the country’s financial institutions and government organizations. While Ukraine has seen a rise in Smoke Loader attacks, this malware remains a global threat and continues to be seen in multiple campaigns targeting other countries. However, this surge of attacks suggests a coordinated effort to disrupt Ukrainian systems and extract valuable data."

Notes.

Today's issue includes events affecting China, Russia, Ukraine, and the United States.

Attacks, Threats, and Vulnerabilities

Inside the Massive Alleged AT&T Data Breach (Troy Hunt) I hate having to use that word - "alleged" - because it's so inconclusive and I know it will leave people with many unanswered questions. But sometimes, "alleged" is just where we need to begin and over the course of time, proper attribution is made and the dots are joined.

Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor (Unit 42) A surge in use of malware Smoke Loader by threat group UAC-0006 is highlighted in the first-ever joint research published by Unit 42 and SSSCIP Ukraine.

Potential cyberattack against Pensacola knocks out non-emergency city phone system (Pensacola News Journal) The city of Pensacola's computer systems appear to have suffered a cyberattack over the weekend.

Apex Legends players worried about RCE flaw after ALGS hacks (BleepingComputer) Electronic Arts has postponed the North American (NA) finals of the ongoing Apex Legends Global Series (ALGS) after hackers compromised players mid-match during the tournament.

Technologies, Techniques, and Standards

NCSC Publishes Security Guidance For Cloud-Hosted SCADA (Infosecurity Magazine) The UK’s National Cyber Security Centre wants to help organizations migrate their SCADA systems to the cloud

Litigation, Investigation, and Law Enforcement

Cash-Strapped Women's Clinic Sues UnitedHealth Over Attack (GovInfoSecurity) A Mississippi women's health clinic has filed a proposed class action lawsuit against UnitedHealth Group alleging the disruption in claims processing caused by the

Investment advisers pay $400K to settle ‘AI washing’ charges (BleepingComputer) The U.S. Securities and Exchange Commission (SEC) announced today that two investment advisers, Delphia (USA) and Global Predictions, have settled charges of making misleading statements regarding the use of artificial intelligence (AI) technology in their products.

FTC investigating Reddit plan to sell user content for AI model training (The Record) The Federal Trade Commission (FTC) is probing Reddit’s decision to license its user-generated content to artificial intelligence companies which would in turn use it to train models, the social media platform said in a Friday securities filing.

Nigerian court orders Binance to release user data, as company execs continue to be held without charge (The Record) A federal high court in Abuja has ordered the world’s largest cryptocurrency exchange Binance to provide Nigeria’s Economic and Financial Crimes Commision (EFCC) with information on all the Nigerians who are using its trading platform.

Former Telecommunications Company Manager Admits Role in SIM Swapping Scheme (US Justice Department) CAMDEN, N.J. – A former manager of a telecommunications company from Burlington County, New Jersey, admitted swapping the Subscriber Identity Module (SIM) numbers of cell phone customers into mobile devices controlled by another individual, who was paying the former manager for the unauthorized swaps.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

Spring 2024 CISSP Study Group presented by ISSA Central MD (Columbia, or virtual, Maryland, USA, Feb 20 - May 1, 2024) Our Study Group fosters a learning environment to better absorb and understand the material. This is much better than the alternative of cram it in and regurgitate it on a test immediately following. Our approach simply makes the information more useful and easier to interpret! You can attend each session in-person in Columbia, MD, or attend virtually on line.

Power Women of GovCon (Arlington, Virginia, USA, Feb 28 - Mar 28, 2024) DCA Live is excited to announce our first ever NEW Power Women of GovCon list and event! We can’t wait to toast the women leading and advising some of the fastest growing and most exciting firms in the DC region’s robust and dynamic government contracting community. We’ll profile these women in the coming weeks and recognize them at a special event on February 28 in Arlington, VA. Join us! You will want to get to know these great women leaders.

SANS Stay Sharp: March 2024 (Virtual, Mar 18 - 20, 2024) At SANS Stay Sharp: March 2024, choose from 48 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

SANS Stay Sharp: March 2024 (Virtual, Mar 18 - 20, 2024) At SANS Stay Sharp: March 2024, choose from 41 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

CrowdStrike Gov Threat Summit (Washington, DC, USA, Mar 19, 2024) Join hundreds of cybersecurity leaders, practitioners and threat hunters who are singularly focused on improving their agencies’ cyber defenses with AI and new security capabilities at the Gov Threat Summit. The Gov Threat Summit promises to deliver critical knowledge, training, and insights to protect your agency and organization from adversaries, while enabling your strategic goals and transformational strategies. You’ll hear from cyber and intelligence experts, get hands-on with workshops and demos, and network with your CrowdStrike and government peers at the Hub.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 03.19.24