State-Backed APT Group Activity Continuing Apace

Written by

High levels of advanced persistent threat (APT) group activity from Russia, China, Iran and North Korea has continued since the Russian invasion of Ukraine, according to the ESET APT Activity Report T2 2022.

ESET researchers analyzed cyber activities of many of these groups, which are usually operated by a nation-state or by state-sponsored actors, during the period May to August 2022. Their activities are generally undertaken for the purposes of harvesting sensitive data from governments, high-profile individuals or strategic companies.

Jean-Ian Boutin, director of ESET Threat Research told Infosecurity that while APT groups in the four countries are continuing to be highly active, there have been no signs of coordination between these regions.

“We have not seen signs of collaboration between groups that have a different country alignment. They sometimes target the same organizations, but we have no evidence that they are collaborating. We believe that in those cases, they have similar goals and thus, overlapping targets,” he commented.


Unsurprisingly, Russia-aligned APT groups were particularly active in targeting Ukraine over the four-month period. One of the most “continuously active” was Gamaredon, which the report noted has been prominent in targeting Ukrainian government entities throughout 2022. This group “constantly modifies its tools to evade detection mechanisms,” said the report, and has recently started to use a third-party service,, for resolving IP addresses of its C&C servers instead of regular DNS.

Other Russian APT groups highlighted for their role in targeting Ukraine over this period included Sandworm, Gamaredon, InvisiMole, Callista and Turla. Sandworm, which ESET linked to an attempt to deploy a new version of Industroyer malware against high-voltage electrical substation in Ukraine in April 2022, has since used the ArguePatch loader to launch payloads like CaddyWiper. This has impacted at least three Ukrainian organizations, two of which were local governments, said the report.

ESET believes Sandworm is using social media platform Telegram to leak information stolen during CaddyWiper campaigns, an approach increasingly being taken by other Russian APT actors.

“We have noticed that in T2 2022, several Russia-aligned groups used the Russian multiplatform messaging service Telegram to access C&C servers or as an instrument to leak information. Threat actors from other regions were also trying to gain access to Ukrainian organizations, both for cyber espionage and intellectual property theft,” commented Boutin.

Despite the continued attacks, speaking exclusively to Infosecurity, Boutin noted “a slow-down in the operations of threat actors targeting Ukrainian organizations.”

He explained: “In the first few months of the war, we were seeing more attacks using various wiper families targeting a wider array of organizations. In the past few months, we saw wiper campaigns as well, but mostly using CaddyWiper and on a much slower cadence than at the beginning of the conflict.”

"Threat actors from other regions were also trying to gain access to Ukrainian organizations, both for cyber espionage and intellectual property theft”

This slow-down may be partly explained by the resilience of Ukraine’s cyber-defenses, which has been praised by the UK’s National Cyber Security Centre CEO Lindy Cameron.


Numerous China-aligned APT groups remained highly active between May and August 2022, according to the study. These include SparklingGoblin, which ESET believe was behind an attack using a Linux version of the SideWalk backdoor against a Hong Kong University in February 2021.

The researchers also attributed SparklingGoblin with an attack on a food manufacturing company in Germany by leveraging a Confluence vulnerability (CVE-2022-026134) and automating the initial compromise. They suspect the same vulnerability helped the group gain access to a Confluence server of an engineering company based in the US.

Additionally, ESET believe a Chinese APT group may have been behind an attack on a US defense contractor, following the compromise of a web-based password management and single sign-on product. However, “we haven’t yet found enough similarities to make a good attribution to a known group.”

The firm suspects CVE-2022-28810 was exploited in this incident, just two days after it was disclosed. This “highlights the necessity of updating internet-facing software as soon as possible,” stated the report.


The notorious Iranian APT group POLONIUM targeted more than a dozen Israeli organizations in the report’s time frame. The researchers highlighted the espionage group’s continuous adaptions to its custom tools to avoid detection.

Another well-known threat actor, APT3, has targeted various industries in Israel, such as cosmetics retailing, cybersecurity holding companies, electronics manufacturing and legal services. This campaign has been active since at least October 2021, according to the report, and uses different versions of the SponsoredRunner backdoor to target organizations.

Other active Iran-aligned APT groups over this period were Agrius, APT-C-50 and OilRig, with Israeli organizations the most common targets.

North Korea

The most infamous North Korean threat group, Lazarus, has been involved in several spearphishing campaigns using the lure of fake job offers to compromise sensitive industries. One of these targeted an employee of an aerospace company in the Netherlands, resulting in an email with a malicious document attachment. The attackers delivered a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver.

Boutin outlined: “The aerospace and defense industry remains of interest to North Korea-aligned groups – Lazarus targeted an employee of an aerospace company in the Netherlands. According to our research, the group abused a vulnerability in a legitimate Dell driver to infiltrate the company, and we believe this to be the first-ever recorded abuse of this vulnerability in the wild.”

In another campaign, an individual in Argentina was targeted with malware disguised as a fake offer at Coinbase, a cryptocurrency exchange. Other North Korea-aligned groups that were active in the four-month period were Kimsuky and Konni.

Final Thoughts

Concluding the report, ESET researchers noted that while APT groups’ attacks are often directed at governmental bodies, “entities and individuals working within other mentioned targeted profiles should also maintain a heightened state of awareness.”

They continued: “Several cases in this report clearly show that acquired technology is not the only type of protection that should be deployed, but that organizations must also increase the overall cybersecurity awareness of their employees. A special area of focus here should be on spearphishing, as this is one of the most used initial compromise vectors seen in the described activities.”

In early November 2022, Microsoft reported a “disturbing” rise in aggressive nation-state cyber activity in the past year.

What’s hot on Infosecurity Magazine?