ESET Draws Attention to Cyber Warfare of Russia, China, and Iran aligned APT groups

ESET has released its latest APT Activity Report, which summarizes the notable activities of selected advanced persistent threat (APT) groups documented by ESET researchers from October 2023 until the end of March 2024. The highlighted operations are representative of the broader landscape of threats ESET Research has investigated during this period, illustrating key trends and developments.

After the Hamas-led attack on Israel in October 2023, and throughout the ongoing war in Gaza, ESET has detected a significant increase in activity from Iran-aligned threat groups. Russia-aligned groups have focused their activities on espionage within the European Union and attacks against Ukraine. On the other hand, several China-aligned threat actors exploited vulnerabilities in public-facing appliances, such as VPNs and firewalls, and software, such as Confluence and Microsoft Exchange Server, for initial access to targets in multiple verticals. North Korea-aligned groups continued to target aerospace and defense companies and the cryptocurrency industry.

“The targets of most of the campaigns were government organizations and certain verticals: for example, those targeted in continued and relentless attacks on Ukrainian infrastructure. Europe experienced a more diverse range of attacks from various threat actors. Russia-aligned groups strengthened their focus on espionage in the European Union, where China-aligned threat actors also maintain a consistent presence, indicating a continued interest in European affairs by both Russia- and China-aligned groups,” says Jean-Ian Boutin, Director of Threat Research at ESET.

Based on the data leak from Chinese security services company I-SOON (Anxun), ESET Research can confirm that this Chinese contractor is indeed engaged in cyberespionage. ESET tracks a part of the company’s activities under the FishMonger group. In this latest report, ESET also introduces a new China-aligned APT group, CeranaKeeper, distinguished by unique traits yet possibly connected by the digital footprint with the Mustang Panda group.

In the case of Iran-aligned threat groups, MuddyWater and Agrius transitioned from their previous focus on cyberespionage and ransomware, respectively, to more aggressive strategies involving access brokering and impact attacks. Meanwhile, OilRig and Ballistic Bobcat activities saw a downturn, suggesting a strategic shift toward more noticeable, “louder” operations aimed at Israel.

Regarding Russia-aligned activity, the Operation Texonto campaign, a disinformation and psychological operation (PSYOP) uncovered by ESET researchers, has been spreading false information about Russian election-related protests and the situation in the eastern Ukrainian metropolis Kharkiv, fostering uncertainty among Ukrainians domestically and abroad.

The report also describes the exploitation of a zero-day vulnerability in Roundcube by Winter Vivern, a group ESET assesses to be aligned with the interests of Belarus. Additionally, ESET spotlights a campaign in the Middle East carried out by SturgeonPhisher, a group ESET researchers believe to be aligned with the interests of Kazakhstan.

ESET products protect our customers’ systems from the malicious activities described in this report. Intelligence shared here is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. This report contains only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports.