The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: cyber espionage

Russian State Hackers Continue to Attack Ukrainian Entities with Infostealer Malware

Russian State Hackers Continue to Attack Ukrainian Entities with Infostealer Malware

August 15, 2022Ravie Lakshmanan
Russian state-sponsored actors are continuing to strike Ukrainian entities with information-stealing malware as part of what's suspected to be an espionage operation. Symantec, a division of Broadcom Software,  attributed  the malicious campaign to a threat actor tracked  Shuckworm , also known as  Actinium ,  Armageddon , Gamaredon, Primitive Bear, and Trident Ursa. The findings have been  corroborated  by the Computer Emergency Response Team of Ukraine (CERT-UA). The threat actor, active since at least 2013, is known for explicitly singling out public and private entities in Ukraine. The attacks have since ratcheted up in the wake of Russia's military invasion in late 2022. The latest set of attacks are said to have commenced on July 15, 2022, and ongoing as recently as August 8, with the infection chains leveraging phishing emails disguised as newsletters and combat orders, ultimately leading to the deployment of a PowerShell stealer malware dubbed  GammaLoad.PS1_v2 .
Experts Uncover Details on Maui Ransomware Attack by North Korean Hackers

Experts Uncover Details on Maui Ransomware Attack by North Korean Hackers

August 10, 2022Ravie Lakshmanan
The first ever incident possibly involving the ransomware family known as Maui occurred on April 15, 2021, aimed at an unnamed Japanese housing company. The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence agencies issued an  advisory  about the use of the ransomware strain by North Korean government-backed hackers to target the healthcare sector since at least May 2021. Much of the data about its modus operandi came from incident response activities and industry analysis of a Maui sample that revealed a lack of "several key features" typically associated with ransomware-as-a-service (RaaS) operations. Not only is Maui designed to be manually executed by a remote actor via a command-line interface, it's also notable for not including a ransom note to provide recovery instructions. Subsequently, the Justice Department  announced  the seizure of $500,000 worth of Bitcoin that were extorted from several organizations, including two he
Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook

Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook

August 08, 2022Ravie Lakshmanan
Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets. The first set of activities is what the company described as "persistent and well-resourced" and undertaken by a hacking group tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting individuals in New Zealand, India, Pakistan, and the U.K. "Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware," Meta  said  in its Quarterly Adversarial Threat Report. "They used a mix of link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware." The attacks involved the threat actor creating fictitious personas on the platform, masquerading as attractive young women in a bid to build trust with targets and lure them into cl
Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

June 13, 2022Ravie Lakshmanan
A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called  PingPull , the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol ( ICMP ) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today. Gallium is notorious for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name  Soft Cell  by Cybereason, the state-sponsored actor has been  connected  to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017. Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cam
Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes

Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes

May 22, 2022Ravie Lakshmanan
At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed " Twisted Panda ," come in the backdrop of Russia's military invasion of Ukraine, prompting a  wide range  of  threat actors  to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents. Israeli cybersecurity firm Check Point, which  disclosed  details of the latest intelligence-gathering operation, attributed it a Chinese threat actor, with connections to that of  Stone Panda  (aka  APT 10 , Cicada, or Potassium) and  Mustang Panda  (aka Bronze President, HoneyMyte, or RedDelta). Callin
Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

May 02, 2022Ravie Lakshmanan
A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka  RedFoxtrot ). "PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen  said . "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products." ShadowPad , labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors. Alth
New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

May 02, 2022Ravie Lakshmanan
A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments. Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like  APT28  and  APT29 .  "The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm  said  in a Monday report. The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as
Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

May 02, 2022Ravie Lakshmanan
A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25  said  in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country." Override Panda, also called  Naikon , Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting  ASEAN countries . Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware
China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks

China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks

March 01, 2022Ravie Lakshmanan
A previously undocumented espionage tool has been deployed against selected governments and other critical infrastructure targets as part of a long-running espionage campaign orchestrated by China-linked threat actors since at least 2013. Broadcom's Symantec Threat Hunter team characterized the backdoor, named  Daxin , as a technologically advanced malware, allowing the attackers to carry out a variety of communications and information-gathering operations aimed at entities in the telecom, transportation, and manufacturing sectors that are of strategic interest to China. "Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enables remote actors to communicate with secured devices not connected directly to the internet," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said  in an independent advisory. The implant takes the form of a Windows kernel driver that implements an elabor
Moses Staff Hackers Targeting Israeli Organizations for Cyber Espionage

Moses Staff Hackers Targeting Israeli Organizations for Cyber Espionage

February 16, 2022Ravie Lakshmanan
The politically motivated Moses Staff hacker group has been observed using a custom multi-component toolset with the goal of carrying out espionage against its targets as part of a new campaign that exclusively singles out Israeli organizations. First  publicly documented  in late 2021, Moses Staff is believed to be sponsored by the Iranian government, with attacks reported against entities in Israel, Italy, India, Germany, Chile, Turkey, the U.A.E., and the U.S. Earlier this month, the hacker collective was observed incorporating a previously undocumented remote access trojan (RAT) called " StrifeWater " that masquerades as the Windows Calculator app to evade detection. "Close examination reveals that the group has been active for over a year, much earlier than the group's first official public exposure, managing to stay under the radar with an extremely low detection rate," findings from FortiGuard Labs show . The latest threat activity involves an atta
New CapraRAT Android Malware Targets Indian Government and Military Personnel

New CapraRAT Android Malware Targets Indian Government and Military Personnel

February 07, 2022Ravie Lakshmanan
A politically motivated advanced persistent threat (APT) group has expanded its malware arsenal to include a new remote access trojan (RAT) in its espionage attacks aimed at Indian military and diplomatic entities. Called  CapraRAT  by Trend Micro, the implant is an Android RAT that exhibits a high "degree of crossover" with another Windows malware known as CrimsonRAT that's associated with Earth Karkaddan, a threat actor that's also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe. The first concrete signs of APT36's existence  appeared  in  2016  as the group began distributing information-stealing malware through phishing emails with malicious PDF attachments targeting Indian military and government personnel. The group is believed to be of  Pakistani origin  and operational since at least 2013. The threat actor is also known to be consistent in its modus operandi, with the attacks predominantly banking o
Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor

Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor

February 06, 2022Ravie Lakshmanan
A Chinese advanced persistent threat (APT) group has been targeting Taiwanese financial institutions as part of a "persistent campaign" that lasted for at least 18 months. The intrusions, whose primary intent was espionage, resulted in the deployment of a backdoor called xPack , granting the adversary extensive control over compromised machines, Broadcom-owned Symantec said in a  report  published last week. What's notable about this campaign is the amount of time the threat actor lurked on victim networks, affording the operators ample opportunity for detailed reconnaissance and exfiltrate potentially sensitive information pertaining to business contacts and investments without raising any red flags. In one of the unnamed financial organizations, the attackers spent close to 250 days between December 2020 and August 2021, while a manufacturing entity had its network under their watch for roughly 175 days. Although the initial access vector used to the breach the ta
Ukraine Continues to Face Cyber Espionage Attacks from Russian Hackers

Ukraine Continues to Face Cyber Espionage Attacks from Russian Hackers

February 01, 2022Ravie Lakshmanan
Cybersecurity researchers on Monday said they uncovered evidence of attempted attacks by a Russia-linked hacking operation targeting a Ukrainian entity in July 2021. Broadcom-owned Symantec, in a new report published Monday, attributed the attacks to an actor tracked as Gamaredon (aka Shuckworm or Armageddon), a cyber-espionage collective known to be active since at least 2013. In November 2021, Ukrainian intelligence agencies  branded  the group as a "special project" of Russia's Federal Security Service (FSB), in addition to pointing fingers at it for carrying out over 5,000 cyberattacks against public authorities and critical infrastructure located in the country. Gamaredon attacks typically originate with phishing emails that trick the recipients into installing a custom remote access trojan called Pterodo. Symantec disclosed that, between July 14, 2021 and August 18, 2021, the actor installed several variants of the backdoor as well as deployed additional scripts
Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets

Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets

January 25, 2022Ravie Lakshmanan
Cybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia. The attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix — a new company created following the merger of security firms McAfee Enterprise and FireEye — said in a report shared with The Hacker News. "This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic," Trellix explained. First signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between Oct
ShadowPad Malware is Becoming a Favorite Choice of Chinese Espionage Groups

ShadowPad Malware is Becoming a Favorite Choice of Chinese Espionage Groups

August 20, 2021Ravie Lakshmanan
ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017. "The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," SentinelOne researchers Yi-Jhen Hsieh and Joey Chen  said  in a detailed overview of the malware, adding "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." The American cybersecurity firm dubbed ShadowPad a "masterpiece of privately sold malware in Chinese espionage." A successor to PlugX and a modular malware platform since 2015,  ShadowPad  catapulted to widespread attention in the wake of supply chain incidents targeting  NetSarang ,  CCleaner , and  ASUS , leading the operators to shift tactics and update their defensive measures with advanced anti-detection and persistence techniques. More recently, atta
Experts Believe Chinese Hackers Are Behind Several Attacks Targeting Israel

Experts Believe Chinese Hackers Are Behind Several Attacks Targeting Israel

August 10, 2021Ravie Lakshmanan
A Chinese cyber espionage group has been linked to a string of intrusion activities targeting Israeli government institutions, IT providers, and telecommunications companies at least since 2019, with the hackers masquerading themselves as Iranian actors to mislead forensic analysis. FireEye's Mandiant threat intelligence arm attributed the campaign to an operator it tracks as "UNC215", a Chinese espionage operation that's believed to have singled out organizations around the world dating back as far as 2014, linking the group with "low confidence" to an advanced persistent threat (APT) widely known as  APT27 , Emissary Panda, or Iron Tiger. "UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors," FireEye's Israel and U.S. threat intel teams  said  in a report published today. "The group targets data and organizations which are of great interest
A New Spyware is Targeting Telegram and Psiphon VPN Users in Iran

A New Spyware is Targeting Telegram and Psiphon VPN Users in Iran

June 17, 2021Ravie Lakshmanan
Threat actors with suspected ties to Iran have been found to leverage instant messaging and VPN apps like Telegram and Psiphon to install a Windows remote access trojan (RAT) capable of stealing sensitive information from targets' devices since at least 2015. Russian cybersecurity firm Kaspersky, which pieced together the activity, attributed the campaign to an advanced persistent threat (APT) group it tracks as Ferocious Kitten, a group that has singled out Persian-speaking individuals allegedly based in the country while successfully operating under the radar. "The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users in mind," Kaspersky's Global Research and Analysis Team (GReAT)  said . "Moreover, the decoy content displayed by the malicious files often made use of political themes and involved images or videos of resistance bas
Malware Attack on South Korean Entities Was Work of Andariel Group

Malware Attack on South Korean Entities Was Work of Andariel Group

June 16, 2021Ravie Lakshmanan
A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that  Lazarus  attackers are following the trends and their  arsenal  is in  constant development . "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity," Russian cybersecurity firm Kaspersky  said  in a deep-dive published Tuesday. Victims of the attack are in the manufacturing, home network service, media, and construction sectors. Designated as part of the Lazarus constellation, Andariel is known for unleashing attacks on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. In September 2019, the sub-group, along with Lazarus and Bluenoroff, was  sanctioned by the U.S. Treasury Department  for their malicious cyber activity on critical infrastructure. Anda
New Cyber Espionage Group Targeting Ministries of Foreign Affairs

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

June 11, 2021Ravie Lakshmanan
Cybersecurity researchers on Thursday took the wraps off a new cyber espionage group that has been behind a series of targeted attacks against diplomatic entities and telecommunication companies in Africa and the Middle East since at least 2017. Dubbed " BackdoorDiplomacy ," the campaign involves targeting weak points in internet-exposed devices such as web servers to perform a panoply of cyber hacking activities, including laterally moving across the network to deploy a custom implant called Turian that's capable of exfiltrating sensitive data stored in removable media. "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of  Quarian , the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S," said Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET. Engineered to target both Windows and Linux operating systems, th
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.