According to researchers at SentinelLabs, a new threat group was identified while researching an attack on a high value target that had been infiltrated by more than ten threat actors. The group, which has not yet been attributed to any nation-state, is believed to be working on behalf of a nation-state as a contractor. Signs from the intrusion indicate the group has been active for over two years without being identified. The group attacks with variants of two Windows malware platforms deployed directly into memory, with indications of an additional Linux implant, and are capable of rapid adaptations. The group was also able to quickly adapt once their infiltrated target had adopted a security solution.
According to researchers, the group has primarily targeted telecoms, internet service providers, and universities in the Middle East and Africa. It is likely that only a fraction of the group’s capabilities has been identified. The group appears to be fluent in English, with slang, and Spanish. Like with many nation-state sponsored threat actors, they will work to gain access to networks to install backdoors and remain dormant until they are needed. Proactive solutions such as an EDR and a Security Operations Center (SOC) to monitor alerts, either an internally-staffed SOC or a service such as Binary Defense, are great tools within the security arsenal to find and mitigate threats.