Threat actors are boosting attacks across the globe, with geographic events influencing which regions are being hit the hardest, according to a new report from threat intel researchers ESET.
Although the report’s lead author said no new attack methods have been found, he advises CISOs to double-down on their defense strategies given the activity.
Current attack techniques “still work well,” Jean-Ian Boutin, ESET’s director of threat research, told CSO. As such, novel vectors aren’t entirely necessary for attackers. CISOs are doing the right things to combat these attacks, Boutin said; they just need to harden further.
Regional stability issues are spilling over into the cybersphere, according to the researchers, as the main global attack trends ESET has uncovered have been directly influenced by them.
“After the Hamas-led attack on Israel in October 2023, and throughout the ongoing war in Gaza, ESET has detected a significant increase in activity from Iran-aligned threat groups,” the researchers wrote in the report, which focuses on activities of selected advanced persistent threat (APT) groups from October 2023 to March 2024.
ESET researchers also noted Russia-aligned groups focusing their attention on espionage throughout the European Union, along with attacks against Ukraine.
“On the other hand, several China-aligned threat actors exploited vulnerabilities in public-facing appliances, such as VPNs and firewalls, and software, such as Confluence and Microsoft Exchange Server, for initial access to targets in multiple verticals,” the researchers wrote. “North Korea-aligned groups continued to target aerospace and defense companies and the cryptocurrency industry.”
Russia-aligned APT groups topped the list of attack sources, according to ESET, at 33% of attacks tracked. China-aligned threat actors comprised 25% of attack sources, with APT groups aligned with Iran (14%), North Korea (13%), and other Middle East countries (7%) rounding out the top five.
Government entities were the top targets across Europe, Asia, Middle East, and the Americas. Other notable verticals under increased pressure have been energy and defense firms in Europe, engineering and manufacturing firms in Asia and the Middle East, and education, healthcare, and retail companies in the Americas.
CISOs working in those industry and region pairs should be extra vigilant.
Attack analysis
One of the newer tactics ESET is seeing in North Korea leverages emotions to prevent the attack from being reported, which will likely extend its use and effectiveness. The technique itself, Boutin said, has been around for years, but North Korean APT groups are making a minor tweak.
The attack is sent to programmers and other technical talent, masquerading as a job application with several major US companies. The attacker claims to be a recruiter for those businesses, and when victims are asked to prove their technical skills with an online test, they are exposed to the malware and the trap is complete.
The emotional twist is that victims are hesitant to report the attack to their security or IT teams because doing so would include having to admit to trying to get another job, Boutin said.
ESET researches also noted increased supply-chain compromises and trojanized software installers coming from North Korean threat actors, including an attack on Taiwan-based multimedia software company CyberLink, which resulted in malicious code being inserted into the company’s software build and delivery process.
Other regional changes noted in the report include:
- China: A new China-aligned APT group, CeranaKeeper, has been identified with specific traits connected to the digital footprint of Mustang Panda. The two groups use similar DLL hijacking targets and some shared tooling, according to ESET, but organizational and technical differences suggest they act independently.
- Iran: Threat actors MuddyWater and Agrius have shifted their focus to “more aggressive strategies involving access brokering and impact attacks,” the researchers wrote. Previously, the groups were more involved with cyberespionage (MuddyWater) and ransomware (Agrius). OilRig and Ballistic Bobcat eased up on activities, “suggesting a strategic shift toward more noticeable operations aimed at Israel,” according to ESET.
- Russia: “Operation Texonto, a disinformation and psychological operation (PSYOP), has been spreading false information about Russian election-related protests and the situation in the eastern Ukrainian metropolis Kharkiv, fostering uncertainty among Ukrainians domestically and abroad,” the researchers wrote.
- Elsewhere: A zero-day vulnerability Roundcube by Winter Vivern, a group ESET assesses to be aligned with the interests of Belarus, was also noted. Additionally, a campaign in the Middle East has been carried out by SturgeonPhisher, a group believed to be aligned with the interests of Kazakhstan.