Over the last week, at least five separate cyber-espionage-related news events have made headlines ranging from attacks against governments to company-related targets. The primary goal of cyber-espionage is to uncover company or government secrets, such as military plans, blueprints, or coveted intellectual property. SurfWatch Labs has collected CyberFacts on exactly 300 targets tied with espionage so far this year.
In 2016, central government is the top trending industry target of cyber-espionage.
Several groups have appeared in SurfWatch Labs’ data concerning espionage in 2016. Group 27 – a cyber-espionage group linked with the Seven Pointed Dagger malware campaign that utilizes a remote access Trojan known as Trochilus and has ties to Asia – is the top trending espionage actor in 2016.
Recent Espionage Activity
As mentioned above, there have been five espionage-related events that have made headlines over the last week.
In February 2014, North Korea began targeting about 140,000 computers throughout several South Korean defense contractor firms and government agencies. The attack was discovered back in February of 2016.
Companies that were not defense contractors were also targeted, such as SK Holdings group and Korean Air Lines, but it appears no data was actually obtained. According to researchers, about 95% of the data obtained in the attack by North Korea was defense related. One of the most coveted pieces of information that was obtained were blueprints for the wings of F-15 fighter jets.
North Korea has denied any involvement concerning cyber-espionage attacks on South Korea. However, evidence obtained from these attacks have been traced back to the North Korean capital Pyongyang.
Two separate hacker groups with ties to the Russian government have infiltrated the network of the Democratic National Committee. The names of both groups have been lovingly named “Cozy Bear” and “Fancy Bear.”
The attacks took place at different times. Cozy Bear first infiltrated the database in the summer of 2015 and was monitoring email and chat communications, while Fancy Bear appeared last April and targeted opposition research files. The Fancy Bear group was able to obtain information held on Donald Trump. Information held on Hillary Clinton and several other GOP political action committees were also targeted.
A Russian-linked cyber-espionage group — known as Sofacy — sent a spear-phishing email to a U.S. government official from a compromised computer belonging to another country’s Ministry of Foreign Affairs. The email had a malicious attachment that, if opened, would have loaded two DLL files on the official’s computer.
One of the files contained a Carberp malware variant of the Sofacy Trojan of which the group’s name is derived. The group has also been called Fancy Bear — which is tied to the Democratic National Committee hack — APT28, Sednit, Pawn Storm, and Strontium.
The good news in this attack is that it was full of mistakes. First of all, the RTF document attached to the email didn’t show any content, which immediately pointed to something being wrong. Also, old IP addresses and C&C server domains were used from past campaigns, which was another flag that this email was malicious.
The Mofang Chinese APT cyber-espionage group has been around since 2012. The group is identified through their ShimRat malware and is unique from other APT groups because they exclusively use social engineering tactics to target computer networks, not exploits. More specifically, the groups’ attack vector of choice is spear phishing.
The bulk of activity displayed from this group has been against the Myanmar government. The group has also been spotted targeting companies in the United States, Canada, Germany, India, and Singapore. Attacks from this group have continued throughout 2015.
On Tuesday, a former Chinese employee from the tech company IBM was charged by U.S. authorities with economic espionage for allegedly stealing source code from the company and handing it to the Chinese government.
Xu Jiaqiang, the defendant, offered the code to undercover U.S. FBI agents posing as tech company officials that were seeking software for their company. Jiaqiang was also intending to provide this source code to the Chinese National Health and Planning Commission where he was previously employed.
Jiaqiang’s indictment also brings with it three counts of economic espionage and three counts of trade secret theft. In total, he faces a maximum of 75 years in prison if convicted of all charges.