An advanced persistent threat (APT) group formerly known for targeting Japanese entities has been accused of launching a long-running espionage campaign targeting new geographies, suggesting the threat actor has “widening” its scope.
As recently as February 2022, widespread intrusions were reported linked to a group known as Cicada, which has also been referred to as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.
Researchers from the Symantec Threat Hunter Team, part of Broadcom Software, report that the Cicada (aka APT10) campaign has affected governments, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including Europe, Asia, and North America.
“There is a strong focus on victims in the government and NGO sectors, with some of these organizations working in the areas of religion and education,” Brigid O. Gorman, senior information developer at the Symantec Threat Hunter Team, told The Hacker News.
Most of the targeted organizations are located in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy, alongside one victim in Japan, with the adversary spending as long as nine months on the networks of some of these victims.
“There are also some victims in the telecoms, legal and pharmaceutical sectors, but governmental and non-profit organizations appeared to have been the main focus in this campaign,” Gorman added.
In March 2021, Kaspersky researchers took the wraps off an intelligence-gathering operation undertaken by the group to deploy information-gathering implants from a number of industry sectors located in Japan.
Then earlier this February, Stone Panda was implicated in an organized supply chain attack aimed at Taiwan’s financial sector with the goal of stealing sensitive information from compromised systems.
The new set of attacks observed by Symantec commences with the actors gaining initial access by means of a known, unpatched vulnerability in Microsoft Exchange Servers, using it to deploy their backdoor of choice, SodaMaster.
“However, we did not observe the attackers exploiting a specific vulnerability, so we cannot say if they leveraged ProxyShell or ProxyLogon [flaws],” Gorman said.
SodaMaster is a Windows-based remote access trojan that’s equipped with features to facilitate the retrieval of additional payloads and exfiltrate the information back to its command-and-control (C2) server.
Other tools deployed during the infiltrations include the Mimikatz credential dumping utility, NBTScan to conduct internal reconnaissance, WMIExec for remote command execution, and VLC Media Player to launch a custom loader on the infected host.
“This campaign with victims in such a large number of sectors appears to show the group is now interested in a wider variety of targets,” Gorman said.
“The sorts of organizations targeted — nonprofits and government organizations, including those involved in religious and education activity — are most likely to be of interest to the group for espionage purposes. The sort of activity we see on victim machines and past Cicada activity also all point to the motivation behind this campaign being espionage.”
Some sections of this post are sourced from: