ESET APT Activity Report Q2–Q3 2023 summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from April 2023 until the end of September 2023. In the monitored timespan, we observed a notable strategy of APT groups utilizing the exploitation of known vulnerabilities to exfiltrate data from governmental entities or related organizations. Russia-aligned Sednit and Sandworm, North Korea-aligned Konni, and geographically unattributed Winter Vivern and Sturgeon Phisher seized the opportunity to exploit vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Windows (Sednit) to target various governmental organization in Ukraine, Europe, and Central Asia. Regarding China-aligned threat actors, GALLIUM probably exploited weaknesses in Microsoft Exchange servers or IIS servers, extending its targeting from telecommunications operators to government organizations around the world; MirrorFace probably exploited vulnerabilities in the Proself online storage service; and TA410 probably exploited flaws in the Adobe ColdFusion application server.

Iran- and Middle East-aligned groups continued to operate at high volume, primarily focusing on espionage and data theft from organizations in Israel. Notably, Iran-aligned MuddyWater also targeted an unidentified entity in Saudi Arabia, deploying a payload that suggests the possibility of this threat actor serving as an access development team for a more advanced group.

The prime target of Russia-aligned groups remained Ukraine, where we discovered new versions of the known wipers RoarBat and NikoWiper, and a new wiper we named SharpNikoWiper, all deployed by Sandworm. Interestingly, while other groups – such as Gamaredon, GREF, and SturgeonPhisher – target Telegram users to try to exfiltrate information or at least some Telegram-related metadata, Sandworm actively uses this service for active measure purposes, advertising  its cybersabotage operations. However, the most active group in Ukraine continued to be Gamaredon, which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones.

North Korea-aligned groups continued to focus on Japan, South Korea, and South Korea-focused entities, employing carefully crafted spearphishing emails. The most active Lazarus scheme observed was Operation DreamJob, luring targets with fake job offers for lucrative positions. This group consistently demonstrated its capability to create malware for all major desktop platforms. Finally, our researchers uncovered the operations of three previously unidentified China-aligned groups: DigitalRecyclers, repeatedly compromising a governmental organization in the EU; TheWizards, conducting adversary-in-the-middle attacks; and PerplexedGoblin, targeting another government organization in the EU.

Malicious activities described in ESET APT Activity Report Q2–Q3 2023 are detected by ESET products; shared intelligence is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers.

Countries, regions, and verticals affected by the APT groups described in this report include:

Targeted countries and regions
Armenia
Bangladesh
China
Central Asia
Czechia
European Union
French Polynesia
Greece
Guyana
Hong Kong
Israel
Japan
Kuwait
Mali
Pakistan
Philippines
Poland
Saudi Arabia
Serbia
Slovakia
South Korea
Tajikistan
Türkiye (aka Turkey)
Ukraine
United Arab Emirates
United States
Uyghurs and other Turkic ethnic minorities

Targeted business verticals
Gambling companies and their customers
Governmental organizations and entities
Hosting providers
Industrial networks
IT companies
Local governments and institutions
Media organizations
Political entities
Private companies
Scholars and journalists specializing in North Korea
Research institutes
Telecommunication operators
Universities

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET APT Reports PREMIUM. For more information, visit the ESET Threat Intelligence website.

Follow ESET research on Twitter for regular updates on key trends and top threats.