Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have trained their sights on the defense industrial base (DIB) sector, according to findings from Google Threat Intelligence Group (GTIG).
The tech giant’s threat intelligence division said the adversarial targeting of the sector is centered around four key themes: striking defense entities deploying technologies on the battlefield in the Russia-Ukraine War, directly approaching employees and exploitation of the hiring process by North Korean and Iranian actors, use of edge devices and appliances as initial access pathways for China-nexus groups, and supply chain risk stemming from the breach of the manufacturing sector.
“Many of the chief state-sponsors of cyber espionage and hacktivist actors have shown an interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare,” GTIG said. “Further, the ‘evasion of detection’ trend […] continues, as actors focus on single endpoints and individuals, or carry out intrusions in a manner that seeks to avoid endpoint detection and response (EDR) tools altogether.”
Some of the notable threat actors that have participated in the activity include –
- APT44 (aka Sandworm) has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications, likely after securing physical access to devices obtained during on-ground operations in Ukraine. This includes the use of a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal’s desktop app.
- TEMP.Vermin (aka UAC-0020) has used malware like VERMONSTER, SPECTRUM (aka SPECTR), and FIRMACHAGENT using lure content revolving around drone production and development, anti-drone defense systems, and video surveillance security systems.
- UNC5125 (aka FlyingYeti and UAC-0149) has conducted highly targeted campaigns focusing on frontline drone units. It has used a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone operators, and distributed via messaging apps malware like MESSYFORK (aka COOKBOX) to an Unmanned Aerial Vehicle (UAV) operator based in Ukraine.
- UNC5125 is also said to have leveraged an Android malware called GREYBATTLE, a bespoke version of the Hydra banking trojan, to steal credentials and data by distributing it via a website spoofing a Ukrainian military artificial intelligence company.
- UNC5792 (aka UAC-0195) has exploited secure messaging apps to target Ukrainian military and government entities, as well as individuals and organizations in Moldova, Georgia, France, and the U.S. The threat actor is notable for weaponizing Signal’s device linking feature to hijack victim accounts.
- UNC4221 (aka UAC-0185) has also targeted secure messaging apps used by Ukrainian military personnel, using tactics similar to UNC5792. The threat actor has also leveraged…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
