Purpose and Scope

This report covers nation-led threat groups, presumed to conduct cyber espionage or sabotage supported by certain governments. These groups are referred to as advanced persistent threat (APT) groups for the sake of convenience. Therefore, this report does not contain information on cybercriminal groups aiming to gain financial profits.

 

We organized analyses related to APT groups disclosed by security companies and institutions including AhnLab during the previous month; however, the content of some APT groups may not have been included.

 

The names and classification criteria may vary depending on the security company or researcher, and in this report, we used well-known names of AhnLab Threat Intelligence Platform (ATIP)’s threat actors.

 

 

Major APT Group Trends by Country

1.   North Korea

 

North Korean APT groups were the most active. Besides using emails, they also posted malware on community boards where their targets were active. In attacks involving fake job interviews, they used the ClickFix technique. North Korean APT groups are also actively using popular attack techniques.

 

Kimsuky 

The Kimsuky group uploaded a Hancom Hangul Word Processor file with a malicious OLE object to a notice post recruiting students for a unification education program.

 

Konni

The Konni group infected systems with the AsyncRAT malware using LNK files.

 

Lazarus

The Lazarus group exploited vulnerabilities in Korean web servers to set them up as C&C servers. They carried out attacks targeting developers using npm packages. They are also continuously attempting attacks on cryptocurrency exchanges through fake job interviews. There have also been attacks using the ClickFix technique, which threat actors have recently adopted.