Skip to main content

Woburn, MA – July 10, 2018 – During the second quarter of 2018, Kaspersky Lab researchers observed an active landscape of advanced persistent threat (APT) operations, based mainly in Asia and involving both well-known and less familiar threat actors. A number of groups targeted or timed their campaigns around sensitive geopolitical incidents. These and other trends are covered in Kaspersky Lab’s latest quarterly threat intelligence summary.

In Q2 2018, Kaspersky Lab researchers continued to uncover new tools, techniques and campaigns being launched by APT groups, some of which had been quiet for years. Asia remained the epicenter of APT interest: regional groups, such as the Korean-speaking Lazarus and Scarcruft were particularly busy, and researchers discovered an implant called LightNeuron being used by the Russian-speaking Turla to target Central Asia and the Middle East. 

Highlights in Q2 2018 include:

  • The return of the actor behind Olympic DestroyerAfter its January 2018 attack against the Pyeongchang Winter Olympic games, researchers discovered what they believed was new activity by this actor, targeting financial organizations in Russia, as well as biochemical threat prevention laboratories in Europe and Ukraine. A number of indicators suggest a low to medium confidence link between Olympic Destroyer and the Russian speaking threat actor, Sofacy. 
  • Lazarus/BlueNoroff: There were indications that this high profile APT was targeting financial institutions in Turkey as part of a bigger cyberespionage campaign, as well as casinos in Latin America. These operations suggest that financially-motivated activity continues for this group, despite the ongoing North Korean peace talks.
  • Relatively high activity from the Scarcruft APTResearchers also observed this threat actor using Android malware and launching an operation with a new backdoor named POORWEB. 
  • The LuckyMouse APT: The Chinese-speaking threat actor also known as APT 27, which had previously been observed abusing ISPs in Asia for waterhole attacks through high profile websites, was also found to be actively targeting Kazakh and Mongolian governmental entities around the time these governments held their meeting in China. 
  • The VPNFilter campaign: First uncovered by Cisco Talos and attributed by the FBI to Sofacy or Sandworm, VPNFilter revealed the immense vulnerability to attack of domestic networking hardware and storage solutions. The threat can even inject malware into traffic in order to infect computers behind the infected networking device. Kaspersky Lab’s analysis confirmed that traces of this campaign can be found in almost every single country.

“The second quarter of 2018 was very interesting in terms of APT activity, with a few remarkable campaigns that remind us how real some of the threats we have been predicting over the last few years have become,” said Vicente Diaz, principal security researcher, Kaspersky Lab Global Research and Analysis Team. “In particular, we have repeatedly warned that networking hardware is ideally suited to targeted attacks, and we have highlighted the existence and spread of advanced activity focusing on these devices.”

The Q2 APT Trends report summarizes the findings of Kaspersky Lab’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com

The Q2 APT Trends summary report can be found on Securelist.

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com

Media Contact

Jessica Bettencourt
781.503.7851
Jessica.Bettencourt@kaspersky.com

Geopolitical targets and new campaigns in Asia mark busy Q2 for threat actors

These and other trends highlighted in Kaspersky Lab’s Q2 2018 threat intelligence summary
Kaspersky Logo