BlackBerry researchers are tracking what they believe to be a mercenary cyberespionage group whose campaign they’re calling “CostaRicto.” BlackBerry doesn’t speculate about who CostaRicto's paymasters might be, but they offer four reasons for thinking it a mercenary operation. It uses bespoke malware; it shows systematic, continual development; it may share some network infrastructure with APT28 (Fancy Bear, Russia’s GRU), and its highly diversified target list suggests more than one customer.
Dragos finds that industrial control systems (ICS) are increasingly being subjected to the attentions of cyber threat actors. The researchers are following five distinct threat groups:
- CHRYSENE (APT34 or Helix Kitten) targets the petrochemical, oil and gas, manufacturing, and electric generation sectors. It’s expanded its interests beyond the Persian Gulf.
- MAGNALLIUM (APT33 or Elfin) is active against the energy and aerospace sectors, including their supporting sectors.
- PARISITE (Fox Kitten or Pioneer Kitten) works against electric utilities, aerospace, manufacturing, oil and gas entities, and governmental and non-governmental organizations.
- WASSONITE, associated with the Lazarus Group, hits electric generation, nuclear energy, manufacturing, and research entities.
- XENOTIME, known for the TRISIS attack that disrupted a Saudi natural gas facility.
Dragos doesn’t offer attribution, but others believe CHRYSENE, MAGNALLIUM, and PARISITE are Iranian, WASSONITE North Korean, and XENOTIME Russian.
Lacework researchers describe Muhstik, an IoT botnet, possibly a Chinese operation, infesting cloud services.
The University of California Riverside has published a study of vulnerabilities that forecasts a return of DNS cache poisoning.
A team at the University of Birmingham has identified a new side-channel vulnerability, “PLATYPUS,” in Intel processors.