At a glance.
- POLONIUM targets Israeli entities.
- A look at influence operations by Russia and China.
- Spyder Loader active in Hong Kong.
- Ransom Cartel's possible connection to REvil.
POLONIUM targets Israeli entities.
ESET has published a report on POLONIUM, a Lebanese threat actor that sometimes coordinates with Iranian threat actors to target organizations in Israel. POLONIUM has exclusively targeted Israeli entities over the past year, with the goal of conducting espionage:
"According to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September 2021, with the group’s most recent actions being observed in September 2022. Verticals targeted by this group include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services."
A look at influence operations by Russia and China.
Mandiant has released the second issue of its Cyber Snapshot report, looking at the proliferation of information operations (IOs), threats to NFTs and cryptocurrency, and enterprise security best practices.
The researchers note that Russian state-sponsored threat actors are currently “conducting widespread IO campaigns to bolster the positive perception of the Russian invasion of Ukraine to the Russian people.” Meanwhile, China-aligned actors are carrying out information operations to “sway public opinion against the expansion of rare-earth minerals mining and refining operations in the U.S. and Canada, likely as an attempt to protect China’s heavy investments in rare-earth production.”
The researchers add, “Mandiant finds that these kinds of campaigns are happening constantly. We regularly see new actors who operate on behalf of nation-states that have never before demonstrated a significant cyber capability.”
Spyder Loader active in Hong Kong.
Researchers at Symantec warn that the “Operation CuckooBees” campaign (first observed by Cybereason in May 2022) now appears to be targeting government entities in Hong Kong with the Spyder Loader malware:
“The victims observed in the activity seen by Symantec were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection.”
Symantec doesn’t attribute the campaign to any particular threat actor, but Cybereason tied the earlier activity to the Chinese APT Winnti.
Symantec adds, “The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time. Companies that hold valuable intellectual property should ensure that they have taken all reasonable steps to keep their networks protected from this kind of activity.”
Ransom Cartel's possible connection to REvil.
Palo Alto Networks’ Unit 42 has published a report on the Ransom Cartel ransomware-as-a-service offering, finding that it has possible ties to the now-defunct REvil ransomware gang. Unit 42 summarizes what’s known of the gang’s provenance so far:
“At this time, we believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments (see our Ransom Cartel and REvil Code Comparison for more details). This suggests there was a relationship between the groups at some point, though it may not have been recent.”