ENISA, CERT-EU flag sustained malicious cyber activities of hackers, release recommendations

The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular APT (advanced persistent threat) hacker groups, known as APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda. These threat groups have been recently conducting malicious cyber activities against businesses and governments in the Union. 

Cyberattacks and malicious activities by hackers have been identified as major risks to the European Union (EU), the ENISA and CERT-EU said in their structured cooperation document. Recent operations pursued by these hackers have largely focused on information theft, primarily by establishing persistent footholds within the network infrastructure of organizations of strategic relevance.

APT27 has been observed targeting a broad range of organizations across geographic areas, including Europe, North and South America, Africa, the Middle East, and the Asia Pacific (APAC) region. 

The report identified that APT27 is known for its high degree of operational sophistication and frequently alters its attack strategies. “In order to obfuscate its activities, evade detection and maintain long-term network persistence, APT27 deploys fileless malware and pivots within the target networks. Incidents linked to APT27 have also been recorded alongside clusters of activity from other threat groups, assessed to be operating from the same nation-state such as APT30, APT31, and GALLIUM,” it added.

Last January, Germany’s domestic intelligence services – the Bundesamt für Verfassungsschutz (BfV) – published information regarding an ongoing data-gathering campaign affecting German companies, which the agency attributed to APT27, the report said. While the BfV declined to indicate the names or sectors of the commercial entities targeted, their report notes the attacks are representative of an increase in the use of HyperBro malware by Chinese threat groups against German targets.

In July, Belgium’s Minister of Foreign Affairs released a statement regarding the Belgian government’s detection of an espionage campaign against the country’s Interior and Defence Ministries. The Foreign Ministry linked the campaign to APT27 alongside three other groups with assessed ties to China: APT30, APT31, and GALLIUM.

By October, the France-based private incident response provider Intrinsec published a report detailing a security incident faced by an unnamed customer in spring 2022, which the company attributed to APT27. Intrinsec indicated APT27’s operation was conducted over at least a year and involved the exploitation of the target’s MS Exchange server via the ProxyLogon vulnerabilities chain. After gaining initial access, the group proceeded to compromise five domains over nine months, before ultimately deploying HyperBro malware to exfiltrate many gigabytes of data over 17 days.

APT31, also known as Judgment Panda, Zirconium, and Bronze Vinewood, has been operating since at least 2010. The group became more difficult to track in recent years. APT31 has been working on new methods to avoid detection, including creating its anonymizing proxy, which is hosted on a global network of hacked routers. Since the French national cybersecurity agency (ANSSI) report of July 2021 detailing the use of this anonymization proxy network, a general decline in these operations has been noted.

In 2020, the Norwegian police security service (PST) concluded two years and a half investigation of a 2018 cyberattack against the Norwegian state administration and the cloud service provider Visma AG, the report disclosed. According to public news, the threat actor behind the attacks was APT31. The Parliament of Finland had fallen victim to a breach in December 2020. In March 2021, the Finnish national authorities disclosed that their investigations pointed to APT31.

GALLIUM has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in several regions of the world. GALLIUM has developed the capability to target Windows and Linux (32/64-bit) systems through Remote Access Tools (RATs).

The report said that last July Belgium’s Minister of Foreign Affairs released a statement regarding the Belgian government’s detection of an espionage campaign against the country’s Interior and Defence Ministries. The Foreign Ministry linked APT27 alongside three other groups with assessed ties to China: APT30, APT31, and GALLIUM.

GALLIUM was identified by the security company Palo Alto Networks’ Unit42 last June. The group has been expanding its operations, beyond its original telecommunications sector, to government and finance. Its targeting according to the analysis includes at least entities from one European country.

Ke3chang, aka Vixen Panda, Nickel, or APT15, conducts cyber operations to steal data. The group has been active since at least 2010. Ke3chang has targeted several sectors, including energy, government, and the military. Until 2021, Ke3chang’s favored method for initial access was spear-phishing, using compromised or spoofed email addresses. More recently, Ke3chang has been observed exploiting vulnerabilities in public-facing software, the report identified.

In December 2021, Microsoft reported on Ke3chang conducting a series of attacks against several organizations in Europe, Latin America, and other regions. According to Microsoft’s report, at least 11 European entities were targeted. In 2021 and 2022, CERT-EU detected exploitation attempts of vulnerabilities in some EUIBAs, likely linked to Ke3chang.

Mustang Panda was first observed in 2017 but has possibly been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofit, religious, and other non-governmental organizations in the EU, the US, Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others. Since the end of 2021 to early last year, CERT-EU has observed an uptick in campaigns targeting entities in the EU. 

Mustang Panda uses both proprietary and publicly available hacking tools. It also uses several different initial access methods, including (primarily) spear-phishing with malicious attachments or links, watering hole attacks, and infected USB drives.

The report identified that in 2022, Mustang Panda was observed using public documents belonging to EUIBAs as lures in spear-phishing campaigns. The targets were mainly ministries of foreign affairs and the diplomatic sector. Detected spear-phishing campaigns impersonated officials to be more credible. In March, Proofpoint identified malicious activity by Mustang Panda, in which the group targeted European diplomatic entities, including one involved in refugee and migrant services.

Threat researchers from Secureworks, a cybersecurity vendor, published in April a report that revealed Mustang Panda’s targeting of Russian officials. Between October and December, several security firms, including Trend Micro and BlackBerry, reported on spear-phishing activity by Mustang Panda using EU lures.

To deal with this menace, EU agencies are urging public and private entities to put into practice a couple of recommendations that consistently and systematically improve cybersecurity posture. The ENISA and CERT-EU remain confident that organizations will reduce the risk of being compromised by the mentioned APTs and substantially improve their cybersecurity posture and enhance overall resilience against cyberattacks.

Additionally, CERT-EU and ENISA emphasize the importance of participating in information sharing communities and reviewing national/governmental CSIRT’s security guidance and public resources detailing tactics, techniques and procedures associated with the threat actors.

All public and private sector organizations in the EU are strongly advised to follow common cyber hygiene recommendations. They must follow the security best practices proposed by vendors, strive to maintain current asset inventories, block or severely limit egress Internet access for servers or other devices that are seldom rebooted, and adopt a backup strategy and use the 3-2-1 rule approach. Additionally, they must ensure tight and proper access controls for end users and, most crucially, external third-party contractors with access to internal networks and systems.

Furthermore, they must segment the network to isolate critical systems, functions, or resources, and secure cloud environments before moving critical assets there. They must also implement a resilient email policy that includes adequate mechanisms for filtering and scrutinizing malicious content, considers preventing attacks based on the so-called Pass-the-Ticket technique on Active Directory environments, and invest in cybersecurity education.

The agencies also called for detection to help expose malicious cyber activities in your network. Organizations must implement robust log collection and regularly review alerts triggered by security components, monitor the activities of devices in your network with appropriate tools like Endpoint Detection and Response (EDR) and User and Entity Behaviour Analytics (UEBA), and detect traces of compromise in the network through well-conceived, regular threat hunting based, for example, on the MITRE ATT&CK framework.

Incident response is composed of several phases – preparation, identification, containment, clean-up, recovery, and lessons learned. To respond to an incident, ENISA and CERT-EU strongly advise organizations to create and maintain an incident response plan. Ensure documentation of the procedures to reach out and swiftly communicate with national or governmental CSIRT, and to provide access to forensics evidence when asked by relevant parties. 

Additionally, organizations must be able to assess the incident severity and avoid common mistakes in incident handling, such as ignoring a security event without assessing what triggered it and the potential impact; preemptively blocking or probing infrastructure used by threat actors; mitigating the affected systems before responders can collect and/or recover evidence; ignoring telemetry sources, such as network, system, and access logs; fixing the symptoms, ignoring the root causes and doing partial containment and recovery, and forgoing keeping a detailed record of actions taken and the event timeline.

Incident response also requires communication among several internal stakeholders and it is strongly recommended to have clear, concise communication guidelines prepared and tested in advance.

ENISA and CERT-EU call for all public and private sector organizations in the EU to apply the recommendations included in this document consistently and systematically. These recommendations aim to reduce the risk of being compromised by the mentioned APTs, while also substantially improving the cybersecurity posture and enhancing the overall resilience of these organizations against cyberattacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.