CrowdStrike's Annual Global Threat Report. Clasiopa targets materials research organizations. PureCrypter deployed against government organizations.

Summary

By the CyberWire staff

At a glance.

CrowdStrike's Annual Global Threat Report.
Clasiopa targets materials research organizations.
PureCrypter deployed against government organizations.

CrowdStrike's Annual Global Threat Report.

CrowdStrike has published its 2023 Global Threat Report, looking at security trends and threat actor activity over the course of 2022.

The researchers found that China-linked threat actors significantly accelerated their campaigns last year, targeting nearly every industry sector to conduct cyberespionage and surveillance. Most of this activity targeted countries in Asia, with a particular focus on Taiwan's technology sector. Around a quarter of the campaigns targeted Europe and North America.

The report states, "Government-sector targeting across countries neighboring China almost certainly represents a standing intelligence collection mission for China-nexus adversaries. Telecommunications and technology sector organizations in these regions remain high-priority targets for China-nexus adversaries, albeit for distinctly separate motives. Technology entities face ongoing economic espionage campaigns targeting research and development data, proprietary information and trade secrets. Telecommunications entities present adversaries with the capacity to amplify intelligence collection or surveillance efforts via direct access to foreign telecommunications infrastructure."

The report also found that Russian cyberactivity during the war in Ukraine was "overhyped but not insignificant," marked by a large number of wiper attacks at the beginning of the invasion, then shifting to intelligence-gathering efforts in the latter half of the year. The researchers say this shift likely indicated "increasing Russian military and Kremlin requirements for situational awareness as their advances into Ukraine stalled and reversed."

CrowdStrike observed two new criminal threat actors in 2022, which the company calls "SLIPPY SPIDER" and "SCATTERED SPIDER." SLIPPY SPIDER in early 2022 launched data theft extortion attacks against large technology companies, including Microsoft, Nvidia, Okta, and Samsung, although CrowdStrike hasn't seen evidence that any of the victims paid up. Following these attacks, the threat actor drew the attention of law enforcement, and CrowdStrike says the group has been quiet since June 2022.

SCATTERED SPIDER has been conducting "targeted social engineering campaigns primarily against firms specializing in customer relationship management and business process outsourcing" since at least March 2022:

"SCATTERED SPIDER leverages access to technology companies to target third-party companies, such as victims’ customers, with a heavy focus on accessing cellular service providers. While SCATTERED SPIDER’s operational goal is not entirely known, the adversary has been observed swapping SIMs using access to cellular service providers. The adversary’s SIM swapping likely enables follow-on third-party compromise. In some cases, the adversary has also captured individual user account data for resale, or targeted data relating to cryptocurrency companies."

Clasiopa targets materials research organizations.

Symantec describes a previously unobserved threat actor the company calls “Clasiopa” that targeted a materials research firm in Asia. The threat actor uses a combination of publicly available and custom-made malware tools, including a bespoke remote access Trojan called “Atharvan.” Clasiopa also may have abused two legitimate software packages in its attacks. Symantec says there’s no firm evidence pointing to who might be behind Clasiopa. Some of the threat actor’s malware contains references to India and Hinduism, but the researchers believe these are too obvious—that they could well be false flags.

PureCrypter deployed against government organizations.

Menlo Security is tracking a campaign that’s using the commodity downloader PureCrypter to target government entities. The threat actor uses Discord to host the downloader, and employs a compromised domain belonging to a non-profit organization as a command-and-control server. The attackers are using PureCrypter to deliver a variety of malware strains, including the “Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware.” The researchers conclude that “this threat actor doesn’t appear to be a major player in the threat landscape, but the targeting of government entities is surely a reason to watch out for them.”

Selected Reading

Blackfly: Espionage Group Targets Materials Technology (Symantec) Group targets multiple subsidiaries of single Asian conglomerate.

WinorDLL64: A backdoor from the vast Lazarus arsenal? (ESET) The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group

Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities (BlackBerry) The threat group APT-C-36, also known as Blind Eagle, has been actively targeting organizations in Colombia and Ecuador, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.

PureCrypter targets government entities through Discord (Menlo Security) Menlo Labs has uncovered an unknown threat actor leveraging an evasive threat campaign distributed via Discord featuring the PureCrypter downloader and targeting government entities.

Clasiopa: New Group Targets Materials Research (Symantec) Group uses distinct toolset but there are few clues to its origins.

A Sneak Peek of CrowdStrike's 2023 Global Threat Report (CrowdStrike) This blog previews some of the trends and findings we explore in greater detail throughout the CrowdStrike 2023 Global Threat Report.