This is what major threat actors were up to in 2018

• Malicious activities carried out by Sofacy, Turla and CozyBear were the main highlights of the year.
• Sofacy or APT28 was found shifting its focus to the Far East in 2018.

2018 has witnessed numerous massive attack campaigns carried out by several skilled threat groups. Over the past year, many new threat actors emerged, while some older threat groups made a comeback after taking a sabbatical.

However, few hacker groups maintained their consistency of attacks using sophisticated hacking methods and malware. These threat actors were found using different approaches to conduct a successful attack. Here’s a look at some prominent threat actor groups that made some noise in cyberspace over the past year.

The big leagues

Malicious activities carried out by Sofacy, Turla and CozyBear were the main highlights of the year. In 2018, security researchers discovered these Russia-linked hacker groups improving their toolsets and operations to avoid detection, and deploy malware on targeted computers.

According to Kaspersky Lab, Sofacy was the most active of the three groups. The group, also known as Fancy Bear or APT28, was found shifting its focus to the Far East in 2018. It targeted both government and military agencies using three prominent malware variants tracked as SPLM, GAMEFISH, and Zebrocy.

SPLM, a backdoor malware, is considered to be Sofacy’s primary tool, while Zebrocy is used for high volume attacks. In early 2018, Sofacy targeted large air defense commercial firms in China with SPLM and deployed Zebrocy widely across Armenia, Turkey, Kazakhstan, Tajikistan, Afghanistan, Mongolia, China, and Japan.

The APT28 is also credited for deploying OlympicDestroyer malware at the Winter Olympics in Pyeongchang, South Korea.

Lazarus or HIDDEN COBRA was observed targeting several institutions in different regions including Turkey, Asia, and Latin America. The group’s target includes, but is not limited to, cryptocurrencies and financial institutions. In its more recent campaigns, Lazarus started deploying a new malware named ThreatNeedle.

Meanwhile, Turla evolved with enhanced capabilities and toolsets. Researchers noted that the hackers used some interesting implants, such as LightNeuron to target Exchange servers and a new backdoor malware to infect Germany’s Federal Foreign office in 2017. It is also responsible for using a new variant of Carbon malware to target embassies and foreign affairs institutions throughout the year.

New kids on the block

Many hacker groups emerged this year and were found focusing primarily on targets located in the Middle East and Southeast Asia. This includes new Asian hacker groups such as ShaggyPanther, Sidewinder, CardinalLizard, TropicTrooper, DroppingElephant, Rancor, Tick group, NineBlog, Flyfox and CactusPete - all of whom have been active throughout the year. Although the groups were not technically equipped, they used a variety of approaches to achieve their objectives.

In the Middle East, LazyMerkaats, FruityArmor, OpParliament, DarkHydrus, and DomesticKitten were the prominent new hacker groups to target both government and military agencies. Meanwhile, eastern European countries and former Soviet Republics witnessed attacks from the new groups such as DustSquad, ParkingBear, and Gallmaker.

The comeback kings

Several hacking groups re-emerged after a long hibernation period, with new activities and toolsets.

The Kimsuky APT retained its focus, targeting South Korean think tanks and political activities. The group renewed its attack framework to conduct cyber espionage. Other groups such as DarkHotel, LuckyMouse, and APT10 also made a notable comeback in different attack campaigns in 2018.

DarkHotel came back with new zero-days and exploits to target their old victims. These zero-days were deployed to hack into Internet Explorer’s scripting engine.

Meanwhile, LuckyMouse, a Chinese hacker group, was also active throughout the year. It deployed watering-hole attacks to hack national data centers in Central Asia and is suspected to be behind attacks against Oman.

APT10 was especially active against Japanese victims, using new iterations of its malware - OceanLotus. Among the others, ScarCruft was observed using a new backdoor called PoorWeb to deploy a zero-day campaign at the beginning of the year. It was also responsible for using Android malware that was specially designed for Samsung devices.

New activities from MuddyWater, the GazaTeam, DesertFalcons, and StrongPity were also detected in different regions, Kaspersky reported.