ESET Report Flags Latest Shifts in State Aligned Cyber Warfare


Cybersecurity software company ESET has released its latest advanced persistent threat (APT) actor report, highlighting the cyber warfare activities of China, Russia, and Iran-aligned groups.

The highlighted operations are representative of the broader threat landscape ESET Research investigated during the six months from October 2023 to the end of March 2024, illustrating key trends and developments.

After the Hamas-led attack on Israel in October 2023 and throughout the ongoing war in Gaza, ESET detected a significant increase in activity from Iran-aligned threat groups. Russia-aligned groups have focused their activities on espionage within the European Union and attacks against Ukraine.

On the other hand, several China-aligned threat actors exploited vulnerabilities in public-facing appliances, including VPNs and firewalls, and software, such as Confluence and Microsoft Exchange Server, for initial access to targets in multiple verticals. North Korea-aligned groups continued to target aerospace and defence companies and the cryptocurrency industry.

“The targets of most of the campaigns were government organizations and certain verticals: for example, those targeted in continued and relentless attacks on Ukrainian infrastructure,” said Jean-Ian Boutin, Director of Threat Research at ESET. ”

“Europe experienced a more diverse range of attacks from various threat actors. Russia-aligned groups strengthened their focus on espionage in the European Union. China-aligned threat actors also maintain a consistent presence, indicating a continued interest in European affairs by both Russia- and China-aligned groups.”

Based on the data leak from Chinese security services company I-SOON (Anxun), ESET Research confirmed that this Chinese contractor is also engaged in cyberespionage. ESET tracked a part of the company’s activities under the FishMonger group. In this latest report, ESET also introduces a new China-aligned APT group, CeranaKeeper, which is distinguished by unique traits yet possibly connected by the digital footprint with the Mustang Panda group.

In the case of Iran-aligned threat groups, MuddyWater and Agrius transitioned from their previous focus on cyberespionage and ransomware to more aggressive strategies involving access brokering and impact attacks. Meanwhile, OilRig and Ballistic Bobcat activities saw a downturn, suggesting a strategic shift toward more noticeable and louder operations aimed at Israel.

Regarding Russia-aligned activity, the Operation Texonto campaign, a disinformation and psychological operation uncovered by ESET researchers, has been spreading false information about Russian election-related protests and the situation in the eastern Ukrainian metropolis Kharkiv, fostering uncertainty among Ukrainians domestically and abroad.

The report also describes the exploitation of a zero-day vulnerability in Roundcube by Winter Vivern, a group ESET says is aligned with Belarussian interests. Additionally, ESET spotlights a campaign in the Middle East carried out by SturgeonPhisher, a group ESET researchers believe to be aligned with the interests of Kazakhstan.

You can read the full report here.