Between September and the end of December 2022, Russia-aligned advanced persistent threat (APT) groups continued to be involved in operations targeting Ukraine, deploying destructive wipers and ransomware, according to the APT Activity Report released by ESET Research. The report, which summarizes discoveries about select APT groups, also found that Goblin Panda, a China-aligned group, started to duplicate Mustang Panda’s interest in European countries, and Iran-aligned groups continued to operate at a high volume.

In Ukraine, ESET detected the infamous Sandworm group using a previously unknown wiper against an energy sector company. Nation-state or state-sponsored actors usually operate APT groups. The described attack happened in October during the same period as Russian armed forces began launching missile strikes targeting energy infrastructure. While the report is not able to show that those events were coordinated, it suggests that Sandworm and the Russian military have related objectives.

ESET has named the latest wiper, from a series of previously discovered wipers, NikoWiper. This wiper was used against a company in the energy sector in Ukraine in October 2022. NikoWiper is based on SDelete, a command-line utility from Microsoft that is used for securely deleting files.

In addition to data-wiping malware, the report detected Sandworm attacks using ransomware as a wiper. In those attacks, although ransomware was used, the final objective was the same as for the wipers: data destruction. Unlike traditional ransomware attacks, the Sandworm operators do not intend to provide a decryption key.

In October 2022, Prestige ransomware was deployed against logistics companies in Ukraine and Poland. And in November 2022, new ransomware was detected in Ukraine written in .NET that was named RansomBoggs in the report. Along with Sandworm, other Russian APT groups such as Callisto and Gamaredon have continued their spearphishing campaigns against Ukraine to steal credentials and install implants.

The report also listed a MirrorFace spearphishing campaign targeting political entities in Japan and noted a gradual change in the targeting of some China-aligned groups: Goblin Panda started to duplicate Mustang Panda’s interest in European countries. Last November, a new Goblin Panda backdoor, which was named TurboSlate, was detected in a government organization in the European Union. Mustang Panda has also continued to target European organizations. Last September, a Korplug loader used by Mustang Panda at an organization in Switzerland's energy and engineering sector was detected.

Iran-aligned groups continued their attacks, too. In addition to Israeli companies, POLONIUM also started targeting the foreign subsidiaries of Israeli companies, and it is believed that MuddyWater compromised a managed security service provider.

North Korea-aligned groups used old exploits to compromise cryptocurrency firms and exchanges in various parts of the world. The report also states that Konni has expanded the repertoire of languages it uses in its decoy documents to include English, which indicates that it might not be aiming at its usual Russian and South Korean targets.

The full report can be found here.