Google Uncovers Global Cyber Threat: China, Iran, Russia, and North Korea Linked to Coordinated Defense Sector Hacking Operations
Coordinated Cyber Operations Target Defense Sector Globally
A recent analysis by Google’s threat intelligence division has revealed a coordinated effort by state-sponsored threat actors from China, Iran, Russia, and North Korea to target the defense sector worldwide. The attackers are focusing on four key themes: striking defense entities involved in the Russia-Ukraine War, exploiting the hiring process, using edge devices as initial access pathways, and compromising the supply chain.
Targeting Autonomous Vehicles and Drones
The threat actors are particularly interested in autonomous vehicles and drones, which play a significant role in modern warfare. To evade detection, they are targeting single endpoints and individuals, or carrying out intrusions in a manner that avoids endpoint detection and response (EDR) tools.
Notable Threat Actors
Several notable threat actors have been identified as participating in this activity. APT44 (also known as Sandworm) has attempted to exfiltrate information from encrypted messaging applications, including Telegram and Signal, likely after gaining physical access to devices during on-ground operations in Ukraine. The group has used a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal’s desktop app.
TEMP.Vermin (also known as UAC-0020) has used malware like VERMONSTER, SPECTRUM, and FIRMACHAGENT to target organizations involved in drone production and development, anti-drone defense systems, and video surveillance security systems. UNC5125 (also known as FlyingYeti and UAC-0149) has conducted highly targeted campaigns against frontline drone units, using a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone operators.
Other threat actors, including UNC5792, UNC4221, and UNC5976, have also been linked to the coordinated effort. These groups have exploited secure messaging apps, used Android malware to steal credentials and data, and delivered malicious RDP connection files to compromise defense entities.
Targeting Defense Contractors
The threat actors have also targeted defense contractors in Ukraine, using tactics like phishing and malware delivery. APT45 (also known as Andariel) has targeted South Korean defense, semiconductor, and automotive manufacturing entities with SmallTiger malware. APT43 (also known as Kimsuky) has likely leveraged infrastructure mimicking German and U.S. defense-related entities to deploy a backdoor called THINWAVE.
UNC2970 (also known as Lazarus Group) has conducted the Operation Dream Job campaign to target aerospace, defense, and energy sectors, using artificial intelligence (AI) tools to conduct reconnaissance on its targets. UNC1549 (also known as Nimbus Manticore) has targeted aerospace, aviation, and defense industries in the Middle East with malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD.
Increasing Threat to the Defense Sector
The coordinated effort highlights the increasing threat to the defense sector, with financially motivated actors carrying out extortion and state-sponsored threat actors conducting espionage and sabotage. Google has observed China-nexus threat groups utilizing operational relay box (ORB) networks for reconnaissance against defense industrial targets, complicating detection and attribution efforts.
About Author
English