Research from the Google Threat Intelligence Group (GTIG) reveals that several state-sponsored, hacktivist, and criminal groups from China, Iran, North Korea, and Russia have set their sights on the Defense Industrial Base (DIB) sector.
The tech giant’s threat intelligence division said hostile targets in this area are concentrated around four major themes: Supply chain risks stemming from attacks on defense organizations deploying technology on the battlefields of the Russia-Ukraine war, direct access to workers and abuse of hiring processes by North Korean and Iranian actors, use of edge devices and consumer electronics as initial access routes to groups tied to China, and compromised manufacturing sectors.
“Many of the major sponsors of cyber espionage and hacktivism have expressed interest in self-driving vehicles and drones as they play an increasing role in modern warfare,” GTIG said. “Furthermore, there is a trend toward “detection avoidance.” […] Attackers continue to focus on single endpoints or individuals, or to execute intrusions in ways that attempt to bypass endpoint detection and response (EDR) tools altogether. ”
Notable actors participating in this campaign include:
APT44 (also known as Sandworm) attempted to steal information from the Telegram and Signal encrypted messaging applications after securing physical access to devices, possibly obtained during ground operations in Ukraine. This involves using a Windows batch script called WAVESIGN to decrypt and extract data from the Signal desktop app. TEMP.Vermin (aka UAC-0020) used malware such as VERMONSTER, SPECTRUM (aka SPECTR), and FIRMACHAGENT, with lure content centered around drone manufacturing and development, anti-drone defense systems, and video surveillance security systems. UNC5125 (also known as FlyingYeti and UAC-0149) conducted a highly targeted campaign focused on front-line drone forces. They conducted reconnaissance on prospective drone operators using surveys hosted on Google Forms and distributed malware to unmanned aerial vehicle (UAV) operators based in Ukraine via messaging apps like MESSYFORK (also known as COOKBOX). UNC5125 also allegedly stole credentials and data by exploiting Android malware called GREYBATTLE, a custom-built version of the Hydra banking Trojan, and distributing it via a website impersonating a Ukrainian military artificial intelligence company. UNC5792 (also known as UAC-0195) exploited secure messaging apps to target military and government agencies in Ukraine, as well as individuals and organizations in Moldova, Georgia, France, and the United States. This threat actor is known for hijacking victims’ accounts using Signal’s device linking feature as a weapon. UNC4221 (also known as UAC-0185) also uses similar tactics as UNC5792 to target secure messaging apps used by Ukrainian military personnel. The attacker used Android malware called STALECOOKIE, which mimics the Ukrainian battlefield management platform DELTA, to steal browser cookies. Another tactic used by the group is to use ClickFix to distribute the TINYWHALE downloader, which then drops MeshAgent remote management software. UNC5976 is a Russian espionage cluster that conducted a phishing campaign that delivered malicious RDP connection files configured to communicate with domains controlled by attackers imitating Ukrainian telecommunications companies. UNC6096 is a Russian espionage cluster that performed malware distribution operations via WhatsApp using DELTA-related themes to deliver malicious LNK shortcuts within archive files that downloaded secondary payloads. Attacks targeting Android devices have been found to deliver malware called GALLGRAB that collects potentially encrypted user data from locally stored files, contact information, and specialized battlefield applications. UNC5114 is a suspected Russian espionage cluster that distributed a variant of off-the-shelf Android malware called CraxsRAT under the guise of an update to Kropyva, a combat control system used in Ukraine. APT45 (also known as Andariel) targeted South Korean defense, semiconductor, and automobile manufacturing companies with the SmallTiger malware. APT43 (also known as Kimsuky) may have leveraged infrastructure mimicking German and US defense organizations to deploy a backdoor called THINWAVE. In addition to utilizing artificial intelligence (AI) tools to conduct target reconnaissance, UNC2970 (also known as Lazarus Group) conducted an “Operation Dream Job” campaign targeting the aerospace, defense, and energy sectors. UNC1549 (aka Nimbus Manticore) targets aerospace, aviation, and defense industries in the Middle East using malware families including MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD. The group is known for organizing Lazarus Group-style Dream Job campaigns to trick users into running malware or surrendering their credentials under the guise of legitimate employment opportunities. UNC6446 is an Iran-linked threat actor that used a resume builder and personality testing application to distribute custom malware to aerospace and defense targets in the United States and the Middle East. APT5 (also known as Keyhole Panda and Mulberry Typhoon) targeted current and former employees of a major aerospace and defense contractor with tailored phishing lures. UNC3236 (also known as Bolt Typhoon) conducted reconnaissance operations against publicly hosted login portals of North American military and defense contractors while using the ARCMAZE obfuscation framework to hide its origin. UNC6508 is a China-aligned threat cluster that targeted US-based research institutions in late 2023 by leveraging a REDCap exploit that intercepted application software upgrade processes and then dropped custom malware named INFINITERED that was capable of persistent remote access and credential theft.
Additionally, Google said it has observed that Chinese-aligned threat groups are using operational relay box (ORB) networks for reconnaissance against targets in the defense industry, complicating detection and identification efforts.
“While specific risks vary by geographic location and subsector specialization, the broader trend is clear: the defense industrial base is under constant siege from multiple vectors,” Google said. “As with many other industries for financial gain, financially motivated actors are extorting this sector and the broader manufacturing base.”
“Campaigns against Ukrainian defense contractors, intimidation and exploitation of defense personnel, continued mass intrusions by Chinese-linked actors, and hacking, leaking, and destruction of manufacturing sites are some of the major threats to the industry today.”
Source link
