ESET released its T1 2022 Threat Report, presenting a new investigation into the infamous Lazarus APT Group and their attack on defence contractors around the world between late 2021 and March 2022.
The ESET Threat Report details targeted attacks connected to the Russian invasion of Ukraine and how the war changed the threat landscape.
- The number of RDP attacks dropped for the first time since the beginning of 2020 (-43%), with attack attempts against SQL (-64%) and SMB (-26%) following.
- Prior to the invasion of Ukraine, Russia and some countries of the Commonwealth of Independent States (CIS) were typically excluded from ransomware target lists, possibly due to the criminals residing in those countries or fearing retribution; in T1 2022 Russia faced the largest share of detections (12%) in the Ransomware category.
- The war brought on an influx of phishing and scam campaigns taking advantage of people trying to support Ukraine, these were detected almost immediately after the start of the invasion.
- In March and April 2022, Emotet operators shifted into a higher gear, launching massive spam campaigns using weaponized Microsoft Word documents, leading to the 113-fold increase of Emotet detections in T1 2022.
- Emotet’s campaigns were reflected in the Email threats category, which grew by 37% in T1 2022.
The latest issue of the ESET Threat Report recounts the various cyberattacks connected to the ongoing war in Ukraine that ESET researchers analysed or helped to mitigate. This includes the resurrection of the infamous Industroyer malware, attempting to target high-voltage electrical substations.
ESET telemetry also recorded other changes in the cyberthreat realm that might have a connection to the situation in Ukraine. Roman Kováč, Chief Research Officer at ESET, clarifies why this report is so focused on cyberthreats related to this war: “Several conflicts are raging in different parts of the world, but for us, this one is different. Right across Slovakia’s eastern borders, where ESET has its HQ and several offices, Ukrainians are fighting for their lives and sovereignty.”
Shortly before the Russian invasion, ESET telemetry recorded a sharp drop in Remote Desktop Protocol (RDP) attacks. The decline in these attacks comes after two years of constant growth – and as explained in the Exploits section of the latest ESET Threat Report, this turn of events might be related to the war in Ukraine. But even with this fall, almost 60% of incoming RDP attacks seen in T1 2022 originated in Russia.
Another side effect of the war: while in the past ransomware threats tended to avoid targets located in Russia, during this period, according to ESET telemetry, Russia was the most targeted country. ESET researchers even detected lock-screen variants using the Ukrainian national salute “Slava Ukraini!” (Glory to Ukraine!). Since the Russian invasion of Ukraine, there has been an increase in the number of amateurish ransomware and wipers. Their authors often pledge support for one of the fighting sides and position the attacks as a personal vendetta.
Unsurprisingly, the war has also been noticeably exploited by spam and phishing threats. Immediately after the invasion on February 24, scammers started to take advantage of people trying to support Ukraine, using fictitious charities and fundraisers as lures. On that day, ESET telemetry detected a large spike in spam detections.
ESET telemetry has also seen many other threats unrelated to the Russia/Ukraine war. “We can confirm that Emotet – the infamous malware, spread primarily through spam email – is back after last year’s takedown attempts, and has shot back up in our telemetry,” explains Kováč. Emotet operators spewed spam campaign after spam campaign in T1, with Emotet detections growing by more than a hundredfold. However, as the Threat Report notes, the campaigns relying on malicious macros might well have been the last, given Microsoft’s recent move to disable macros from the internet by default in Office programs. Following the change, Emotet operators started testing other compromise vectors on much smaller samples of victims.
Lazarus attacks aerospace and defence contractors worldwide
At the recently held ESET World annual conference, ESET researchers also presented a new investigation into the infamous Lazarus APT group. Director of ESET Threat Research, Jean-Ian Boutin, went over various new campaigns perpetrated by the Lazarus group against defence contractors around the world between late 2021 and March 2022.
- Targets were, according to ESET Telemetry, in Europe (France, Italy, Spain, Germany, Czech Republic, the Netherlands, Poland, and Ukraine), the Middle East (Turkey, Qatar), and Latin America (Brazil).
- For fake recruiting campaigns, they used services such as LinkedIn and WhatsApp.
- According to the U.S. government, Lazarus is linked to the North Korean regime.
In the relevant 2021-2022 attacks, and according to ESET telemetry, Lazarus has been targeting companies in Europe (France, Italy, Germany, the Netherlands, Poland, and Ukraine) and Latin America (Brazil).
Despite the primary aim of this Lazarus operation being cyber-espionage, the group has also worked to exfiltrate money (unsuccessfully). “The Lazarus threat group showed ingenuity by deploying an interesting toolset, including, for example, a user mode component able to exploit a vulnerable Dell driver in order to write to kernel memory. This advanced trick was used in an attempt to bypass security solutions monitoring,” says Jean-Ian Boutin.
As early as 2020, ESET researchers had already documented a campaign pursued by a sub-group of Lazarus against European aerospace and defence contractors ESET called operation In(ter)ception. This campaign was noteworthy as it used social media, especially LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components masquerading as job descriptions or applications. At that time, companies in Brazil, Czech Republic, Qatar, Turkey and Ukraine had already been targeted.
ESET researchers believed that the action was mostly geared toward attacking European companies, but through tracking a number of Lazarus sub-groups performing similar campaigns against defence contractors, they soon realised that the campaign extended much wider. While the types of malware used in the various campaigns were different, the initial modus operandi (M.O.) always remained the same: a fake recruiter contacted an employee through LinkedIn and eventually sent malicious components.
In this regard, they’ve continued with the same M.O. as in the past. However, ESET researchers have also documented the reuse of legitimate hiring campaign elements to add legitimacy to their fake recruiters’ campaigns. Additionally, the attackers have used services such as WhatsApp or Slack in their malicious campaigns.
In 2021, the U.S. Department of Justice charged three IT programmers for cyberattacks as they were working for the North Korean military. According to the U.S. government, they belonged to the North Korean military hacker unit known in the infosec community as Lazarus Group.
You can read the full report here.