Threat Research

WhoisXML API Publishes a New Study of 7 APT Groups That Have Targeted North America

CircleID

In the past two decades, at least 41 advanced persistent threat (APT) groups have launched attacks on entities and organizations based in North America.

In a recent analysis, the WhoisXML API research team expanded lists of indicators of compromise (IoCs) related to seven APT groups that remained active as of 2023 and are currently targeting or have targeted the region in the past.

APT GROUP DESCRIPTION
APT33 Iran-based APT33 has been active since at least 2013. It most recently targeted the aerospace and energy sectors in the U.S., Saudi Arabia, and South Korea using SHAMOON or Disttrack.
APT41 China-based APT41 has been active since at least 2012. It most recently targeted organizations in the U.S. using WyrmSpy and DragonEgg.
FIN7 Russia-based FIN7 has been active since at least 2013. It most recently targeted the finance, retail, restaurant, and hospitality industries in North America using various malware, including PowerTrash, Cl0p, and BlackMatter.
Kimsuky North Korea-based Kimsuky has been active since at least 2012. While it most recently targeted research institutes in South Korea using RftRAT and Amadey, it has trailed its sights on various experts and think-tanks based in theU.S. in 2020as well.
Molerats Saudi Arabia-based Molerats has been active since at least 2012. While it most recently targeted government entities in the Middle East, it has trailed its sights on organizations in Europe and theU.S. in 2014as well.
Turla Russia-based Turla has been active since at least 2004. While it most recently targeted organizations in Ukraine, it has trailed its sights on entities in more than 50 countries, including theU.S. and Canada, in the past 20 years or so.
ZIRCONIUM China-based ZIRCONIUM has been active since at least 2017. While it most recently targeted the industrial sector in Eastern Europe, it has trailed its sights on high-profile individuals related to the2020 U.S. presidential electionsas well.

Download our white paper “A Study of APT Groups Known for Targeting North American Countries” to explore our complete insights that leverage comprehensive current and historical WHOIS data.

Methodology

Our analysis began with compiling a list of 41 APT groups from the MITRE ATT&CK Groups and Mandiant APTs pages. We then filtered the list to include only the groups that met the following criteria:

  • Launched attacks in 2023
  • Are targeting or have targeted North America at some point in the past
  • Had available domain indicators of compromise (IoCs)
  • Have email-connected domains traceable through WhoisXML API solutions

We were left with seven APT groups—APT33, APT41, FIN7, Kimsuky, Molerats, Turla, and ZIRCONIUM—and 59 domains identified as IoCs across various security research blogs.1

Overall Findings

Our DNS deep dive into the 59 domain IoCs of the seven APT groups uncovered:

  • More than 140 email addresses via WHOIS History API, 47 of which were not redacted nor privacy-protected
  • More than 540 and 1,940 email-connected domains retrieved via reverse WHOIS searches from their current and historical WHOIS records, respectively
  • Hundreds of live email-connected domains identified via Screenshot API

Take a look at an extract from our white paper illustrating the findings for one of the APT groups.

A Deep Dive into APT33

Our researchers expanded a public list of nine domains identified as APT33 IoCs, which led to the discovery of:

  • 42 email addresses that could belong to the APT group’s members, 30 of which were redacted while 12 were public
  • 119 email-connected domains that contained some of the public email addresses in their current WHOIS records
  • 855 email-connected domains that had some of the public email addresses in their historical WHOIS records

APT groups like the seven featured in our North American study are likely to continue launching destructive attacks over time to steal national secrets, disrupt critical infrastructure operations, or worse so long as they remain unchecked. Our study shows that several cyber intelligence sources, specifically current and historical WHOIS records, can help unveil domain portfolios that could be linked to APT-related activities.

Want to know more about the seven APT groups and their email-connected domains? Download our complete white paper “A Study of APT Groups Known for Targeting North American Countries” now.

  1. https://www.mandiant.com/resources/blog/apt33-insights-into-iranian-cyber-espionage
    https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
    https://cyware.com/resources/research-and-analysis/the-evolution-and-exploits-of-fin7-from-pos-malware-to-ransomware-dominance-0623
    https://asec.ahnlab.com/en/59590/
    https://www.proofpoint.com/uk/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government
    https://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html
    https://www.kaspersky.com/about/press-releases/2023_kaspersky-reports-attacks-on-industrial-sector-utilizing-cloud-infrastructure 

Source: Original Post

Tags: DNS, DISCOVERY, GOVERNMENT, CLOUD, APT, EMAIL