At a glance.
- Chinese cyberespionage in the Middle East.
- North Korea's APT43.
- Phishing in China's nuclear energy sector.
Chinese cyberespionage in the Middle East.
SentinelOne is tracking a Chinese cyberespionage campaign targeting telecommunication providers in the Middle East. The researchers believe with high confidence that the group behind this campaign is associated with the Chinese threat actors Gallium and APT41:
"Our analysis identified indicators that point to the operation Soft Cell actors. Operation Soft Cell has been associated with the Gallium group based on TTPs and some of the domains the group has been using. Active since at least 2012, Gallium is likely a Chinese state-sponsored group that is targeting telecommunication, financial, and government entities in Southeast Asia, Europe, Africa, and the Middle East."
North Korea's APT43.
Mandiant describes the activities of APT43, a North Korean threat actor that conducts cybercrime to fund its cyberespionage efforts. APT43 is also tracked as “Kimsuky,” or “Thallium.” Mandiant says the threat actor uses “aggressive social engineering tactics” combined with moderately-sophisticated technical capabilities” to target “South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.” While the group targets a wide range of organizations and industries, Mandiant believes APT43’s primary goal is to advance North Korea’s weapons program:
“The group is primarily interested in information developed and stored within the U.S. military and government, defense industrial base (DIB), and research and security policies developed by U.S.-based academia and think tanks focused on nuclear security policy and nonproliferation.”
APT43 also conducts cryptocurrency theft to fund its own operations. In one instance, the threat actor used a phony Android app to target Chinese users seeking cryptocurrency loans. The group uses hash rental and cloud mining services to launder the stolen funds.
Michael Barnhart, Mandiant Principal Analyst, Google Cloud, commented:
"The washing of funds and the 'how' has been the missing piece of the equation. We have indications that APT43 utilizes specific hash rental services to launder these funds by mining for different cryptocurrencies. Put another way, imagine you stole millions of dollars in gold, and while everyone is looking for stolen gold, you pay silver miners with stolen gold to excavate silver for you. Similarly, APT43 deposits stolen cryptocurrency into various cloud mining services to mine for a different cryptocurrency. For a small fee, DPRK walks away with untracked, clean currency to do as they wish. Based on our knowledge of this actor and the other associated groups, it is very likely that the other DPRK aligned APTs are using the same services to launder their illicit funds."
Phishing in China's nuclear energy sector.
Intezer says the Bitter APT is conducting cyberespionage against nuclear entities in China. Bitter is a South Asian cyberespionage actor known to target Pakistan, China, Bangladesh, and Saudi Arabia.
In its latest campaign, Bitter sent spearphishing emails posing as the Embassy of Kyrgyzstan to target individuals working in China’s nuclear energy industry: “The email subject and body use terms and themes that would be familiar with the recipients in governmental and energy sectors, such as International Atomic Energy Agency (IAEA), China Institute of International Studies (CIIS), strategic alliances, and nuclear doctrines.”
The emails contained either Excel or Microsoft Compiled HTML Help (CHM) attachments designed to deliver malware. Intezer notes that email attachments should always be treated with caution, but users should "never open CHM files as they are antiquated and not commonly used for legitimate purposes currently."