The second quarter of 2018 was a busy period for regional threat actors with Asia remaining the epicentre of interest for advanced persistent threat (APT) operations.
That's according to Kaspersky Lab, which uncovered new tools, techniques and campaigns targeted towards the region, with a number of groups timing their campaigns around sensitive geopolitical incidents.
Such revelations come as Singapore recovers from the nation's largest data breach in history, impacting more than 1.5 million people.
As reported by Channel Asia, the breach spanned SingHealth’s specialist outpatient clinics between 1 May 2015 and 4 July 2018, including details such as name, NRIC number, address, gender, race and date of birth.
In addition, it was disclosed that Lee Hsien Loong - Singapore Prime Minister - had his personal particulars stolen as well as his outpatient dispensed medicines record, in what was described as “specific and repeated” targetted attacks.
Meanwhile, and according to Kaspersky Lab findings, groups that were particularly busy during this period included the Korean-speaking Lazarus and Scarcruft groups, as well as the Russian-speaking Turla group with targeted attacks in Central Asia and the Middle East.
The researchers believe that the same group who targeted the Pyeongchang Winter Olympic games in January 2018 has renewed their activity targeting Russian financial organisations as well as biochemical threat prevention laboratories in Europe and Ukraine.
There is some evidence to suggest the group behind these attacks is the Russian speaking group, Sofacy.
“The second quarter of 2018 was very interesting in terms of APT activity, with a few remarkable campaigns that remind us how real some of the threats we have been predicting over the last few years have become,” said Vicente Diaz, principal security researcher in the Kaspersky Lab GReAT team.
“In particular, we have warned repeatedly that networking hardware is ideally suited to targeted attacks and highlighted the existence and spread of advanced activity focusing on these devices."
Furthermore, there was evidence to suggest financial institutions in Turkey were targetted by the Korean-speaking Lazarus group, despite the ongoing peace talks with North Korea - a suggestion that a financial incentive is still the primary motivation for this group.
In addition, evidence suggests the Scarcruft group used Andriod malware to launch a backdoor attack researchers have named Poorweb.
A Chinese-speaking threat actor, LuckyMouse, was discovered to be actively targeting Kazakh and Mongolian governmental entities.
The timings of these attacks suggest they were targetting these entities during meetings in China - LucktyMouse is also known as APT 27.
Analysis by Kaspersky Lab also found that traces of the VPNFilter compaign can be found in almost every country. This campaign was uncovered by Cisco Talos and attributed to Russian speaking group Sofacy or Sandworm.
This attack compromises domestic networking hardware and storage solutions, injecting malware into traffic in order to infect computers behind the infected networking device.
These findings were detailed in Kaspersky Lab’s Q2 APT Trends report.
