APT group StrongPity found conducting state-sponsored cyber operations

APT group StrongPity found conducting state-sponsored cyber operations

APT group StrongPity found conducting state-sponsored cyber operations

Security researchers have discovered how APT group StrongPity has been targeting victims in Turkey and Syria, particularly the Kurdish community, with watering-hole attacks aimed at luring victims into downloading malicious applications into their devices.

Fresh research from Bitdefender has revealed how the activities of APT group StrongPity coincided with the Turkish offensive into north-eastern Syria, especially in terms of the timing and people who were targeted.

Samples used in one of the group’s cyber campaigns were timestamped starting October 1st, 2019, around the same time when Turkey launched Operation Peace Spring targeting the Syrian Democratic Forces (SDF) and the Syrian Arab Army (SAA) in northern Syria. However, aside from the coincidence, there is no evidence yet to suggest that the APT group StrongPity was backed by the Turkish government.

Researchers at Bitdefender also found some tell-tale signs of the APT group being state-sponsored. Firstly, the group selectively targeted victims in Turkey and Syria using a pre-defined IP list. Secondly, all the malicious applications created or used by the group were compiled from Monday to Friday during normal 9 to 6 UTC+2 working hours, indicating that StrongPity could be a sponsored and organized developer team paid to deliver certain “projects.”

APT group StrongPity used popular apps as watering-holes to lure victims

The APT group StrongPity also used trademark watering-hole tactics to infiltrate the devices of targeted people. The group used file compression apps such as 7-zip and WinRAR archiver, security software such as McAfee Security Scan Plus, as well as other popular apps like Recuva, TeamViewer, WhatsApp Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities, or RAR Password Unlocker as bait by lacing installers of these applications with data-stealing malware.

“Once the malicious installer is downloaded and executed, the backdoor is installed. The backdoor will communicate with a command and control server, embedded into its binary, for document exfiltration and for retrieving commands to be executed, depending on the importance of the victim.
From an OPSEC point of view, the actor takes different actions in order to hide and anonymize its traces. The C2 network uses a set of proxy servers to hide the terminal node/nodes in the infrastructure,” the researchers said.

This is not the first time that cyber crime groups have been found to be associated with Turkey. In January this year, Reuters reported that hackers targeting governments and other organisations in Europe and the Middle East were acting in the interests of the Turkish government.

The hackers targeted at least thirty organisations such as government ministries, embassies, security services, and private companies using DNS hijacking techniques designed to intercept internet traffic to victim websites.

Copyright Lyonsdown Limited 2021

Top Articles

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Ransomware attacks and the future role of the CISO - teissTalk

On 18 May, teissTalk host Jenny Radcliffe was joined by a panel of four cybersecurity experts in a wide-ranging discussion that covered government actions, ransomware attacks and the future of…

Communicating a Data Breach: Best Practices

When customers trust you with their personal data, they are expecting it to be protected. This means your response to a data breach is imperative and can make or break…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]