Security researchers have discovered how APT group StrongPity has been targeting victims in Turkey and Syria, particularly the Kurdish community, with watering-hole attacks aimed at luring victims into downloading malicious applications into their devices.
Fresh research from Bitdefender has revealed how the activities of APT group StrongPity coincided with the Turkish offensive into north-eastern Syria, especially in terms of the timing and people who were targeted.
Samples used in one of the group’s cyber campaigns were timestamped starting October 1st, 2019, around the same time when Turkey launched Operation Peace Spring targeting the Syrian Democratic Forces (SDF) and the Syrian Arab Army (SAA) in northern Syria. However, aside from the coincidence, there is no evidence yet to suggest that the APT group StrongPity was backed by the Turkish government.
Researchers at Bitdefender also found some tell-tale signs of the APT group being state-sponsored. Firstly, the group selectively targeted victims in Turkey and Syria using a pre-defined IP list. Secondly, all the malicious applications created or used by the group were compiled from Monday to Friday during normal 9 to 6 UTC+2 working hours, indicating that StrongPity could be a sponsored and organized developer team paid to deliver certain “projects.”
APT group StrongPity used popular apps as watering-holes to lure victims
The APT group StrongPity also used trademark watering-hole tactics to infiltrate the devices of targeted people. The group used file compression apps such as 7-zip and WinRAR archiver, security software such as McAfee Security Scan Plus, as well as other popular apps like Recuva, TeamViewer, WhatsApp Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities, or RAR Password Unlocker as bait by lacing installers of these applications with data-stealing malware.
“Once the malicious installer is downloaded and executed, the backdoor is installed. The backdoor will communicate with a command and control server, embedded into its binary, for document exfiltration and for retrieving commands to be executed, depending on the importance of the victim.
From an OPSEC point of view, the actor takes different actions in order to hide and anonymize its traces. The C2 network uses a set of proxy servers to hide the terminal node/nodes in the infrastructure,” the researchers said.
This is not the first time that cyber crime groups have been found to be associated with Turkey. In January this year, Reuters reported that hackers targeting governments and other organisations in Europe and the Middle East were acting in the interests of the Turkish government.
The hackers targeted at least thirty organisations such as government ministries, embassies, security services, and private companies using DNS hijacking techniques designed to intercept internet traffic to victim websites.