Cybersécurité dans l'espace: comment Thales relève les défis à venir
Alias: APT 37, APT37, Dark Seoul, DarkSeoul, Group 123, Group123, Operation Daybreak, Operation Erebus, Operation Erebus., Reaper, Reaper Group, Red Eyes, Ricochet Chollima, ScarCruft, StarCruft, TEMP.Reaper, Venus 121
ATK4 (aka: Reaper by FireEye, TEMP.Reaper by FireEye, APT 37 by Mandiant, Ricochet Chollima by CrowdStrike, ScarCruft by Kaspersky, Thallium by Microsoft, Group 123 by Talos, Red Eyes by AhnLab, Geumseong121, Venus 121 by ESRC, Hermit by Tencent, ITG10 by IBM) is a North Korean cyber espionage group active since at least 2012.
This group targets the public and private sectors mainly in South Korea. According to FireEye, the group's primary mission is to collect secret intelligence in support of North Korea's strategic military, political and economic interests.
This actor is considered competent and resourceful.
Focusing on South Korean targets, this group can be compared to Unit 91 which has similar objectives. While from 2014 to 2017, ATK4 mainly targeted the South Korean government, defense, its industrial fabric and the media sector, ATK4 moved to more international targets with further attacks against the Middle East, Japan and the Vietnam. These new targets are all tied to North Korean interests.
This group uses spear phishing, strategic web compromises, or torrent file sharing as an initial infection vector. From 2014 to 2017, their decoy ducos were written in Korean and related to a theme relating to the Korean Peninsula. It uses various legitimate platforms like C2 and has access to several 0-day vulnerabilities.
The group can integrate newly revealed vulnerabilities into their toolset. This can be explained with the collaboration of different units within the North Korean General Reconnaissance Bureau.
ATK4 uses a C2 infrastructure made up of compromised servers, a messaging platform, cloud services and social networks to communicate or deploy its malware and avoid detection.
https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html
REFERENCES