At a glance.
- Cozy Bear targets diplomatic entities.
- North Korea's Stonefly targets engineering companies.
- Lazarus Group impersonates security firms.
Cozy Bear targets diplomatic entities.
Mandiant says the Russian threat actor APT29 (also tracked as Cozy Bear) is targeting an unnamed diplomatic entity with phishing emails that purport to be "administrative notices related to various embassies":
"Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic entity. During the investigation, Mandiant identified the deployment and use of the BEATDROP and BOOMMIC downloaders. Shortly following the identification of this campaign, Mandiant discovered APT29 targeting multiple additional diplomatic and government entities through a series of phishing waves.
"The phishing emails sent by APT29 masqueraded as administrative notices related to various embassies and utilized legitimate but co-opted email addresses to send emails and Atlassian's Trello service for command and control (C2). These phishing emails were similar to previous Nobelium phishing campaigns in 2021 as they targeted diplomatic organizations, used ROOTSAW (publicly known as EnvyScout) to deliver additional payloads, and misused Firebase or DropBox for C2. The misuse of legitimate webservices such as Trello, Firebase, or DropBox is likely an attempt to make detection or remediation harder."
North Korea's Stonefly targets engineering firms.
Symantec says the North Korean threat actor Stonefly (also known as DarkSeoul, BlackMine, Operation Troy, and Silent Chollima) is conducting cyberespionage attacks against "highly specialized engineering companies":
"The most recent attack discovered by Symantec, a division of Broadcom Software, was against an engineering firm that works in the energy and military sectors. The attackers breached the organization in February 2022, most likely by exploiting the Log4j vulnerability (CVE-2021-44228) on a public-facing VMware View server. The attackers then moved across the network and compromised 18 other computers."
The researchers add, "Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment. Virtually all of the technologies it appears to be interested in have military as well as civilian uses and some could have applications in the development of advanced weaponry."
Lazarus Group impersonates security firms.
Zscaler is also tracking North Korean cyberactivity. The company says Pyongyang's Lazarus Group is targeting users in South Korea with spearphishing emails that impersonate cybersecurity firms Menlo Security, Ahnlab, and others:
"In 2022, the same threat actor started spoofing various important entities in South Korea, including KRNIC (Korea Internet Information Center), Korean security vendors such as Ahnlab, cryptocurrency exchanges such as Binance, and others. Some details about this campaign were published in this Korean blog, however they did not perform the threat attribution.
"Even though the TTPs of this threat actor evolved over time, there were critical parts of their infrastructure that were reused, allowing ThreatLabz to correlate the attacks and do the threat attribution with a high-confidence level. Our research led us to the discovery of command-and-control (C2) domains even before they were used in active attacks by the threat actor. This proactive discovery of attacker infrastructure helps us in preempting the attacks."