Actual status of targeted attacks and countermeasure approaches 5th edition Cyber espionage trends targeting Japan 2020

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

product

User stories

Seminar content

Document request

inquiry

Event/Seminar

video on demand

Actual state of targeted attacks and countermeasure approaches 5th edition Trends in cyber espionage targeting Japan FY2020

About reports

A warning about analysis of attack campaigns that attempted to steal confidential information (personal information, policy-related information, manufacturing data, etc.) from Japanese organizations observed in fiscal year 2020 (April 2020 to March 2021). is described for the purpose of Focusing on incidents using remote-controlled malware (RAT) with high stealth, it describes new attack methods and detection of their threats.

At the end of the report are the indicators used in the campaigns mentioned in the text.

攻撃のタイムラインと攻撃が観測された業種

Compared to Observation ¹ in the previous fiscal year, the attack trends in FY2020 show that the activities of the Tick and BlackTech attack groups targeting domestic organizations, which were relatively active in FY2019, declined, and the APT10 attack group using the LODEINFO malware. , active observations of the reported APT10 attack group in the A41APT attack campaign.

Table 1. Time chart

Similar to previous observations, there was an observation of attack activity believed to be carried out by the DarkHotel attack group in the first half of the year, and we analyzed that an attack ³ using the CloudDragon (Kimsuky ²) and DarkSeoul attack group's VSingle malware was being carried out against Japan. (We analyzed the characteristics of the attack group using the VSingle malware separately as a group related to DarkSeoul ⁴ among the Lazarus attack groups). Throughout the year, we have seen active attacks targeting media and think tanks of the APT10 threat group using the LODEINFO ^malware5. On the other hand, we also observed A41APT attack campaign6 ^{7 8} in which several different payloads (SodaMaster, P8RAT, Cobalt Strike Stager Shellcode, xRAT) were deployed in memory from the same type of loader (DES_Loader) of the APT10 attack group. Many of the targets observed in the A41APT attack campaign were multiple manufacturing industries and IT services, and according to public information on the ^A41APT attack campaign, other industries such as the government, medical care, and clothing-related industries were also targeted9. Our analysis suggests that this was the most active attack group targeting Japan. Attacks using ShadowPad by Sanyo (Tonto Team ¹⁰) attack group have also been observed, although observations are rare.

Figure 1. Pie chart of target organizations (FY2020)

Throughout the year, attacks using APT10's LODEINFO malware targeted media and think tanks, so media and think tanks accounted for a larger percentage of targets. APT10's A41APT attack campaign has many observations in the manufacturing industry, but I would like to draw your attention to industries that are not included here, such as government, healthcare, and clothing. Regarding the fact that this A41APT attack campaign also targets unexpected industries such as healthcare and clothing, there is currently a possibility that attackers' targeting trends may change and affiliates that are more likely to be compromised in order to infiltrate the real target. It is analyzed that there is a possibility that it was aimed at We consider the A41APT attack campaign to be one of the most difficult targeted attacks to detect. The reason why it is difficult to detect is that there is no intrusion from spearfish emails, most of the terminals infected with malware are server OSs of domestic companies, including overseas affiliates, and the number of infected devices is small, and the IP address of the C2 server is different for each infected host. increase. For this reason, it is difficult not only to intrude into bases where countermeasures are weaker than the headquarters network of domestic companies, but also to detect static IOCs such as hash values and IP addresses, including this document. In the industries described here, if possible, we would like you to refer to the detection method described in the latter half of this document and check it at each affiliated company and each base including overseas.

Targeted attacks are difficult to discover and detect, and we are reminded again that they are a troublesome problem that takes time to detect intrusions. The statistics in this book are just the tip of the iceberg, so please refer to the attack methods described here and be vigilant.

Contents of "Targeted Attacks and Approaches to Countermeasures, 5th Edition"

Introduction
攻撃のタイムラインと攻撃が観測された業種
Attack summary
1. April 2020 (media, think tank, N/A)
2. May 2020 (N/A)
3. June 2020 (Manufacturing)
4. August 2020 (Manufacturing)
5. October-December 2020 (multiple manufacturing industries, IT services)
6. December 2020-February 2021 (media, think tank)
New TTPs, RATs, etc.
1. Cloud Dragon (Kimsuky)
2. A41APT Attack Campaign Post-Intrusion Attack Tools
3. Attacks that appear to target security officials
4. Collaboration of attack groups based in Chinese-speaking countries (Sanyo, Tick, Winnti Group)
5. LODEINFO Evolving Attack Campaigns
About attack groups
TTPs (tactics, techniques, procedures) by threat group
Threat Detection and Mitigation Considered from TTPs
1. Malware Delivery/Attack
2. Installed RAT, remote control (about C2 server)
3. Expansion of intrusion/purpose execution
indicator of detection