Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand
User case
Security Report
blog
Glossary

About reports

This is a summary of research conducted by Macnica and TeamT5 regarding attacker groups targeting Japanese organizations.

Described for the purpose of calling attention to the attack campaign that attempted to steal confidential information (personal information, policy-related information, manufacturing data, etc.) from Japanese organizations observed in FY2019 (April 2019 to March 2020). To do.

In addition, it describes new attack methods and detection of their threats, focusing on incidents using highly stealthy remote-controlled malware (RAT) observed in the second half of FY2019. Finally, we present the indicators used in the attack campaigns introduced in the text.

Industries and trends where attacks were observed

In terms of attack trends in FY2019, although the activities of Tick and BlackTech attack groups have continued to be active since Observation1 of the previous year, the number of attack groups targeting Japan has decreased this year. increase. The number of attacks targeting the media has increased overall due to the increased activity of the DarkHotel attack group targeting the media in the first half of the year. In the second half of the year, we observed the activities of the BlackTech attack group targeting IT service companies. Last year's observations focused on the manufacturing industry as the target industry for the BlackTech attack group. Our analysis suggests that it may also be targeting business intelligence. In addition, two major electrical companies have announced that they were targeted by attacks around 2017 and2018234. According to reports, one major electrical company was compromised by Tick and the BlackTech attack group, and in addition to its own information, various information from multiple government offices such as the Ministry of Defense, electric power, communications, railways, automobiles, etc. said to have been accessed illegally. Also, according to reports, this major electrical company's base in China was first compromised, a vulnerability in the server of an antivirus product was attacked, and the infection spread due to the exploitation of the product's update function, and the headquarters was infiltrated. will be5. CVE-2019-9489 and CVE-2019-18187 are listed as vulnerabilities in management servers of anti-virus products that allow file replacement and arbitrary code execution, leading to the spread of infection. isup67. These incidents are not counted in the statistics reported by our company last year and the year before, so it is difficult to discover and detect targeted attacks, and it is a troublesome problem that takes time to detect intrusions. re-recognized. The statistics in this book are just the tip of the iceberg, so please refer to the attack methods described here and be vigilant.

Figure 1. Pie chart of target organizations (2019)

Attack timeline and attack summary

Below is a table of attack group activity by month from April to March. Our analysis shows a decline in new activity from the Tick and BlackTech threat groups since September. On the other hand, attack activities against organizations that have established a foothold continue, and in the second half, the activities of the Tick group were detected in chemical organizations in September, and the activities of the BlackTech attack group in IT service companies in February. increase. Also, although it has not yet been attributed to the attack group in December and January, the ANEL malware used in past attacks by the APT10 attack group8Attacks using a RAT (LODEINFO) similar to .

Table 1. 2019 timeline

Contents of "Targeted Attacks and Countermeasure Approaches 4th Edition"

  • Introduction
  • Industries and trends where attacks were observed
  • Attack timeline and attack summary
    • September 2019 (Chemistry)
    • December 2019 (media)
    • January 2020 (Defense related)
    • February 2020 (IT service)
  • New TTPs, RATs, etc.
    • Tick
    • Black Tech
    • LODEINFO
  • About attack groups
    • Tick (Nian)
    • BlackTech (Huapi)
  • TTPs (tactics, techniques, procedures) by attack group
  • Threat Detection and Mitigation Considered from TTPs
    • Malware Delivery/Intrusion Attacks
    • RAT to be installed, remote control (about C&C)
    • Expansion of intrusion/purpose execution
  • indicator of detection

1 https://www.macnica.co.jp/mpressioncss/feature_03.html/

2 https://www.asahi.com/articles/ASN1M6VDSN1MULFA009.html

3 https://www.mitsubishielectric.co.jp/news/2020/0212-b.pdf

4 https://jpn.nec.com/press/202001/20200131_01.html

5 https://www.asahi.com/articles/ASN1P6TGLN1PUTIL02V.html

6 https://www.jpcert.or.jp/at/2019/at190034.html

7 https://www.jpcert.or.jp/at/2019/at190041.html

8 https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_6_tamada_jp.pdf

Download the Japanese version of the report "Facts of Targeted Attacks and Approaches to Countermeasures 4th Edition"
Download the report "Facts of Targeted Attacks and Approaches to Countermeasures 4th Edition" in English
Click here for the 1st edition (2016)
Click here for the 2nd edition (second half of 2018)
Click here for the 3rd edition (first half of 2019)
Click here for the 5th edition (2020 version)
Click here for the 6th edition (2021 edition)
Click here for the 7th edition (2022 edition)