State-Sponsored Cyber Attacks Intensify Against Global Defense Sectors
Recent analyses by Google’s Threat Intelligence Group (GTIG) have unveiled a surge in cyber operations targeting the global defense industrial base (DIB). These operations are orchestrated by state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia. The primary objectives of these cyber campaigns include:
1. Targeting Defense Technologies in the Russia-Ukraine Conflict: Adversaries are focusing on defense entities deploying technologies on the battlefield, aiming to compromise systems and gather intelligence.
2. Exploiting Employment Processes: North Korean and Iranian actors are directly approaching employees and exploiting hiring processes to infiltrate organizations.
3. Leveraging Edge Devices for Initial Access: Chinese-affiliated groups are utilizing edge devices and appliances as entry points into networks.
4. Supply Chain Vulnerabilities: Breaches in the manufacturing sector pose significant risks to the defense supply chain.
GTIG emphasizes the growing interest of these actors in autonomous vehicles and drones, reflecting their increasing role in modern warfare. A notable trend is the emphasis on evading detection by focusing on single endpoints and individuals, thereby circumventing endpoint detection and response (EDR) tools.
Key Threat Actors and Their Activities:
– APT44 (Sandworm): This group has attempted to extract information from encrypted messaging applications like Telegram and Signal. They have employed a Windows batch script named WAVESIGN to decrypt and exfiltrate data from Signal’s desktop application.
– TEMP.Vermin (UAC-0020): Utilizing malware such as VERMONSTER, SPECTRUM (SPECTR), and FIRMACHAGENT, this actor employs lures related to drone production, anti-drone defense systems, and video surveillance security systems.
– UNC5125 (FlyingYeti, UAC-0149): This group targets frontline drone units by using Google Forms-hosted questionnaires for reconnaissance and distributing malware like MESSYFORK (COOKBOX) to Unmanned Aerial Vehicle (UAV) operators in Ukraine. They have also deployed an Android malware called GREYBATTLE, a customized version of the Hydra banking trojan, through websites impersonating Ukrainian military AI companies.
– UNC5792 (UAC-0195): Focusing on secure messaging apps, this actor targets Ukrainian military and government entities, as well as individuals and organizations in Moldova, Georgia, France, and the U.S. They exploit Signal’s device linking feature to hijack victim accounts.
– UNC4221 (UAC-0185): Similar to UNC5792, this group targets secure messaging apps used by Ukrainian military personnel. They deploy Android malware named STALECOOKIE, which mimics Ukraine’s battlefield management platform DELTA to steal browser cookies. Additionally, they use ClickFix to deliver the TINYWHALE downloader, which subsequently drops the MeshAgent remote management software.
– UNC5976: A Russian espionage cluster that conducts phishing campaigns delivering malicious RDP connection files configured to communicate with domains mimicking Ukrainian telecommunications companies.
– UNC6096: This Russian espionage cluster uses WhatsApp to deliver malware through DELTA-related themes, including a malicious LNK shortcut within an archive file that downloads secondary payloads. They also target Android devices with malware called GALLGRAB, which collects locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.
– UNC5114: A suspected Russian espionage cluster that delivers a variant of the CraxsRAT Android malware by masquerading it as an update for Kropyva, a combat control system used in Ukraine.
– APT45 (Andariel): This group targets South Korean defense, semiconductor, and automotive manufacturing entities with SmallTiger malware.
– APT43 (Kimsuky): Likely leveraging infrastructure mimicking German and U.S. defense-related entities, this actor deploys a backdoor called THINWAVE.
– UNC2970 (Lazarus Group): Conducting the Operation Dream Job campaign, this group targets aerospace, defense, and energy sectors, utilizing artificial intelligence (AI) tools for reconnaissance.
– UNC1549 (Nimbus Manticore): Targeting aerospace, aviation, and defense industries in the Middle East, this actor employs malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD. They orchestrate Lazarus Group-style Dream Job campaigns to trick users into executing malware or divulging credentials under the guise of legitimate employment opportunities.
– UNC6446: An Iranian-nexus threat actor that uses resume builder and personality test applications to distribute custom malware to targets in the aerospace and defense verticals across the U.S. and the Middle East.
– APT5 (Keyhole Panda, Mulberry Typhoon): This group targets current and former employees of major aerospace and defense contractors with tailored phishing lures.
– UNC3236 (Volt Typhoon): Conducting reconnaissance against publicly hosted login portals of North American military and defense contractors, this actor uses the ARCMAZE obfuscation framework to conceal its origin.
– UNC6508: A China-nexus threat cluster that targeted a U.S.-based research institution in late 2023 by leveraging a REDCap exploit to drop custom malware named INFINITERED, capable of persistent remote access and credential theft after intercepting the application’s software upgrade process.
GTIG also notes that China-nexus threat groups are utilizing operational relay box (ORB) networks for reconnaissance against defense industrial targets, complicating detection and attribution efforts.
The defense industrial base is under constant, multi-vector siege. Financially motivated actors carry out extortion against this sector and the broader manufacturing base, similar to other verticals they target for monetary gain. The campaigns against defense contractors in Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus actors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry today.
