Previously obscure N. Korean hacker group is now stronger than ever, say experts

APT37A little-known North Korean cyber espionage group has widened its scope and increased its sophistication in the past year, and now threatens targets worldwide, according to a new report by a leading cyber security firm. Since 2010, most cyber-attacks by North Korean hackers have been attributed to a group dubbed “Lazarus” by cyber security specialists. The Lazarus Group is thought to have perpetrated the infamous Sony Pictures attacks in 2014, and the worldwide wave or ransomware attacks dubbed WannaCry by experts in 2017. It is widely believed that the Lazarus Group operates on behalf of the government of North Korea. Most of its operations constitute destructive attacks —mostly cyber sabotage— and financial criminal activity.

For the past six years, a smaller hacker element within the Lazarus Group has engaged in intelligence collection and cyber espionage. Cyber security researchers have dubbed this sub-element “APT37”, “ScarCruft” or “Group123”. Historically, APT37 has focused on civilian and military targets with links to the South Korean government. The hacker group has also targeted human rights groups and individual North Korean defectors living in South Korea. However, a new report warns that APT37 has significantly expanded its activities in terms of both scope and sophistication in the past year. The report, published on Tuesday by the cyber security firm FireEye, suggests that APT37 has recently struck at targets in countries like Vietnam and Japan, and that its activities have disrupted telecommunications networks and commercial hubs in the Middle East.

According to the FireEye report, aerospace companies, financial institutions and telecom- munications service providers in at least three continents have been targeted by APT37 in recent months. What is even more worrying, says the report, is that the hacker group is now capable of exploiting so-called “zero-day” vulnerabilities. These are software bugs and glitches in commonly used software, which have not been detected by software providers and are therefore exploitable by malicious hackers. FireEye said in its report that the North Korean regime will be tempted to use APT37 increasingly often “in previously unfamiliar roles and regions”, as cyber security experts are catching up with some of Pyongyang’s more visible hacker groups, such as Lazarus.

Author: Joseph Fitsanakis | Date: 21 February 2018 | Permalink

Advertisements

Iranian state-backed cyber spies becoming increasingly skilled, says report

Computer hackingA group of cyber spies with close links to the Iranian government is becoming increasingly competent and adept, and could soon bring down entire computer networks, according to a leading cyber security firm. The California-based cyber security company FireEye said that it has been monitoring the operations of the mysterious group of cyber spies since 2013. The company, whose clients include Sony Pictures, JP Morgan Chase and Target, said that the Iranian group appears to be especially interested in gathering secrets from aviation, aerospace and petrochemical companies.

In a detailed report published on Wednesday, FireEye said that the Iranian group has a very narrow target focus. Moreover, it attacks its targets —which are typically companies— in highly customizable ways. The latter includes the use of cleverly designed phishing tools that are designed to attract the attention of the company’s unsuspecting employees. So far, companies that have been targeted include Saudi petrochemical conglomerates, American aviation firms, as well as South Korean and other Southeast Asian companies that have aviation or energy holdings, said FireEye. The security company said it had codenamed the group “APT33”, which stands for “Advanced Persistent Threat #33”. It also said that APT33 was clearly distinct from other known Iranian hacker groups, because of the sophistication of its operations and the quality of its cyber weapons. The cyber security firm said that APT33 was the first Iranian hacker group to be included on a select list of the most capable cyber spy groups from around the world.

Some experts believe that APT33 is run by Iran’s Revolutionary Guard Corps, an irregular branch of the Iranian military, which is seen by many as a state within a state in post-1979 Iran. The FireEye report does not appear conclusive on this point. However, it notes that APT33 has built an offensive cyber arsenal “with potential destructive capabilities”, but that it currently appears to focus solely on intelligence collection, not sabotage or warfare.

Author: Joseph Fitsanakis | Date: 21 September 2017 | Permalink

China ‘hacked European government computers’ prior to G20 summit

G20 Summit participantsBy IAN ALLEN | intelNews.org
A group of hackers from China managed to compromise computer networks belonging to the foreign ministries of several European governments prior to last September’s G20 Summit, according to a private computer security firm. The Summit, which took place in St. Petersburg, Russia, on September 5 and 6 of this year, brought together the heads of state of 20 major economies, including the United States and many European Union countries. The meeting agenda was dominated by discussions concerning the response of the international community to the chemical attacks in Ghouta, Syria. According to the Reuters news agency, the hackers managed to infiltrate carefully targeted computer networks by sending emails containing infected attachments to employees of foreign ministries. The attached files bore titles such as “US_military_options_in_Syria”, which appeared designed to bear reference to the upcoming G20 Summit. The hacking revelations were made by FireEye, Inc., a California-based security firm, which says it has proof the hackers came from China. The firm says its confidence on the matters stems from “a variety of technical evidence”, such as the language used on the control server used by the hackers, as well as the types of machines that were used to test the virus before it was deployed. FireEye said its experts were able to keep tabs on the “inner workings” of the primary computer server that the hackers used to monitor the compromised computer networks. However, shortly before the Summit begun, the hackers migrated to another server, at which point the FireEye team lost contact with them. Read more of this post