Japan Threat Landscape Report

 As the fourth-largest economy worldwide, Japan stands as a pivotal center for various cutting-edge industries. This includes automotive, manufacturing, finance, and telecommunications, rendering its attack surface a prime target for cyber adversaries.

Japan’s Western alliances and its territorial dispute with Russia, alongside support for Ukraine, heighten its cyber threat profile from state actors like China, Russia, and North Korea.

• Although direct cyber retaliation from Russia remains limited, Japan’s geopolitical positioning and strategic alliances with entities such as QUAD and NATO introduce significant cybersecurity challenges. In this report, we explore key Advanced Persistent Threat (APT) factions, ransomware groups, and hacktivist collectives – all known to target Japan.
• Notably, Cyberint identifies a rise in interest within the Chinese-speaking dark web community towards data breaches involving Japanese corporations and individuals alike.
• Japanese businesses rank as the second most targeted ransomware victims in Asia. Interestingly, their overseas subsidiaries face heightened vulnerability due to the relative ease for foreign attackers in crafting convincing social engineering attacks and reconnaissance actions in English compared to Japanese. Consequently, threat actors often prioritize targeting these subsidiaries. Nevertheless, advancements in AI may alter this dynamic in the future.
• Ransom attacks in the region predominantly target the manufacturing industry. Japan’s economy is heavily reliant on this sector, particularly in automotive manufacturing. Given Japan’s pivotal role in global supply chains, attacks on its manufacturing sector bear far-reaching global consequences.

In the protection of Japanese corporations, Cyberint evaluates the task of fortifying its cybersecurity infrastructure against the ongoing threat of cyber adversaries. The report incorporates our recommendations for mitigating and preventing substantial cyber risks.

Phishing and Social Engineering

Phishing campaigns in Japan are prevalent cyber threats that target individuals, businesses, and organizations alike. These campaigns are orchestrated to deceive and manipulate victims, coercing them into divulging sensitive information, including personal credentials, financial data, or login credentials.

A Global Rise of Smishing

Within the field of social engineering attacks, a common strategy involves employing a sense of urgency by using certain keywords such as ‘urgent,’ ‘important,’ ‘invoice,’ purchase,’ and related triggers. These keywords have become widely recognized by spam filters employed in email services, thereby diminishing their effectiveness in that domain. However, it is worth noting that SMS inboxes typically offer lower levels of protection compared to email services, and have various vulnerabilities that organizations need to be aware of.

Such instances have been observed specifically targeting known organizations worldwide such as Twilio and Cloudflare. In these cases, SMS messages were crafted to deceive employees into believing they needed immediate action or attention. Consequently, the employees were redirected to deceptive phishing interfaces, exposing them to potential security breaches.

While phishing vectors are the most common method for smishing, they can also be utilized to distribute malware without the victim’s knowledge. This poses a significant concern, particularly when corporate interfaces are accessible on personal mobile devices, such as Microsoft Outlook or VPNs, which may be susceptible to 0-day vulnerabilities.

Generative AI

Japan’s relatively high level of digitization makes it an attractive target for threat actors leveraging generative AI products for several reasons.

Generative AI offers threat actors a versatile toolset for various nefarious activities, including automated vulnerability discovery, which can significantly enhance the cost-effectiveness of attacks.

Moreover, AI facilitates threat actors in both the planning and execution stages of their campaigns, empowering them to tailor attack materials to suit multiple potential targets.

In the past year, Cyberint witnessed multiple cases of weaponization of AI by Threat Actors. Models like WormGPT, WolfGPT, and FraudGPT and others were created by malicious actors. They are primarily used to craft intricate computer worms and malware, exploit system vulnerabilities, generate persuasive and deceptive content for fake news articles and social media posts, or produce counterfeit documents, fake identities, and aid in phishing attempts.

Moreover, in recent years, threat actors have increasingly targeted foreign subsidiaries over Japanese headquarters due to the ease of conducting social engineering attacks and reconnaissance in English. However, advancements in AI translation and crafting capabilities may soon break down this language barrier and alter this dynamic.

Data breaches

Fujitsu incident

In March of 2024 the IT equipment and services company Fujitsu, reported that they have suffered a cyber-attack.

In an online statement, the company claimed that they have confirmed the presence of malware on several work computers. The computers contained sensitive files and information that could be illegally taken out using the malware. The company also said that following the discovery they have informed the relevant authorities and disconnected the infected machine immediately. The incident is still under investigation and officials from Fujitsu are investigating whether any information was leaked.

LINE BREACH

In October of 2023, Japanese tech giant LY Corporation, has disclosed it suffered a breach of hundreds of thousands of individuals via a Line messaging app data breach.

The breach contained 440,000 items of personal data, including users’ age group, gender, and partial service usage histories.  The Line app data breach exposed approximately 86,000 business partners’ data items, including email addresses, names, and affiliations, as well as over 51,000 employee records with ID numbers and email addresses. An investigation revealed that hackers accessed the data by breaching a South Korea-based affiliate, NAVER Cloud, through malware on a subcontractor’s computer. The attack likely exploited a shared personnel management system with common authentication.

An Increasing Targeting by Chinese-Speaking Threat Actors

In recent years, there has been a notable trend of Japanese data circulating within English-speaking underground forums. However, Cyberint monitoring and analysis indicate a distinct surge in interest within the Chinese-speaking dark web community regarding breaches concerning Japanese data.

Amidst regional tensions, Chinese-speaking threat actors are showing a heightened interest in compromising and trading stolen data from Japanese corporations and individuals alike.

Ransomware

Regional statistics and Impact

Japanese businesses rank as the second most targeted ransomware victims in Asia. Ransomware attacks have a profound impact on organizations, particularly in Japan, which boasts one of the world’s most robust hubs for automotive, technology, manufacturing finance and telecommunications. Ransom attacks in the region predominantly target the manufacturing industry. Financial losses are a major consequence, encompassing ransom payments, incident response costs, and potential legal actions. Small and medium-sized enterprises (SMEs) often struggle to recover due to limited resources.

Operational disruption is another significant repercussion, affecting critical systems and causing downtime, delayed services, and customer dissatisfaction. Data loss, including sensitive business data and customer information, can lead to legal issues, damage trust, and result in financial penalties. Additionally, ransomware attacks inflict reputational damage, resulting in customer loss, decreased brand value, and challenges in acquiring new business. Rebuilding trust and restoring reputation require substantial time and effort.

Below are several charts outlining key statistics on ransomware attacks impacting Japan and the broader region, alongside a glimpse into some of the ransomware groups involved.

Lockbit

LockBit ransomware has been linked to a higher number of cyberattacks this year compared to any other ransomware, establishing itself as the most active ransomware globally. LockBit initially surfaced in September 2019 and has since undergone evolution: transitioning from LockBit 2.0 in 2021 to its current iteration, LockBit 3.0.

LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. “Second-stage” LockBit establishes control of a victim’s system, collects network information, and achieves primary goals such as stealing and encrypting data.

LockBit attacks typically employ a double extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and then to pay again to prevent their stolen data from being posted publicly. When used as a Ransomware-as-a-Service (RaaS), an Initial Access Broker (IAB) deploys first-stage malware or otherwise gains access within a target organization’s infrastructure. They then sell that access to the primary LockBit operator for second-stage exploitation.

Tactics, Techniques, and Procedures (TTPs)

LockBit 3.0 seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. In LockBit’s RaaS model, the primary operating group recruits Initial Access Brokers (IAB) through advertisements on the dark web to obtain stolen credentials for Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) access. The LockBit group also develops exploits for known software vulnerabilities to take advantage of unpatched or misconfigured enterprise networks.

After initial access is gained, LockBit 3.0 malware downloads C2 tools appropriate for the target environment. LockBit 3.0’s second-stage C2 malware uses standard penetration testing tools such as Cobalt Strike Beacon, MetaSploit, and Mimikatz, as well as custom exploit code. Like Conti, LockBit 3.0 can spread within a target network using worm-like functionality. LockBit 3.0 malware source code is also notorious for protecting itself from analysis by security researchers; tools are encrypted by default and only decrypted when a suitable environment has been detected.

Latest Japan Incident

In March 2024, TMT Machinery announced that a third-part vendor had access to their internal systems and encrypted some sensitive Data. Accordingly, on March 27^th LockBit posted their name on their Dark-web website. TMT Machinery conducted an investigation and released a statement claiming that they have not yet paid the ransom and that, aside from a few screenshots lacking sensitive information, no data has been posted online.

IOCs

File Sharing Sites:

• https://www.premiumize[.]com
• https://anonfiles[.]com
• https://www.sendspace[.]com
• https://fex[.]net
• https://transfer[.]sh
• https://send.exploit[.]in

ALPHV

ALPHV, also known as BlackCat, is a significant ransomware group, operating through Ransomware-as-a-Service (RaaS) with global affiliates. ALPHV is highly adaptable and predominantly targets large entities like corporations and organizations. It ranks among the top three ransomware groups, with origins traceable back to DarkSide, notorious for the Colonial Pipeline Incident. Moreover, it has been observed recruiting former REvil members.

When observing ALPHV’s activity, the group mainly focuses on the business services sector and the Manufacturing industry. In addition, most of their activity is taking place in the United States followed by Canada.

Tactics, Techniques, and Procedures (TTPs)

The ransom is distributed through Cobalt Strike or a similar framework. Those behind BlackCat utilize LOLBins and custom scripts to navigate through networks and gather information about the environment.

The initial stage of ALPHV attacks relies on phished, brute-forced, or illicitly obtained credentials, often targeting Remote Desktop Protocol (RDP) connections and Virtual Private Network (VPN) services, along with exploiting vulnerabilities like CVE-2019-7481.

The subsequent phase of a ALPHV attack typically involves establishing reverse SSH tunnels to a ALPHV -controlled command-and-control (C2) infrastructure. Once connected, the attacks are entirely command-line driven, managed by humans, and highly customizable. The primary goal of ALPHV post-infection is to move laterally within the victim’s network, using tools like PsExec to target Active Directory user and administrator accounts, and to exfiltrate and encrypt sensitive files.

The main payload of ALPHV is the first known malware written in the “Rust” programming language, capable of infecting both Windows and Linux-based systems. ALPHV is effective against various versions of Windows, including XP and later (including Windows 11), Windows Server versions from 2008 onwards, Debian and Ubuntu Linux, ESXI virtualization hypervisor, as well as ReadyNAS and Synology network-attached storage products.

Latest Japan Incident

While ALPHV primarily focuses on targets in the US, Canada, and the UK, some Japanese businesses have also fallen victim to their attacks. On Mar 01, 2024, Kumagai Gumi was compromised by the threat actor group. Kumagai Gumi is a Japanese construction company founded in Fukui, Fukui Prefecture, Japan. The compromised data allegedly amounts to 5 TB.
Moreover, ALPHV has targeted in Novemebr 2023 Japan Aviation Electronics Industry and in August 2023 the well-known Japanese watch manufacturer Seiko.

Notable IOCs

Hunters International

Hunters International is a ransomware collective that came to the spotlight in October 2023. It has been determined that the first victim was featured on their website on October 20, 2023.

Researchers have asserted that Hunters International’s ransomware demonstrates technical similarities with approximately 60% of the Hive ransomware codebase. These identified parallels with Hive indicate a potential evolutionary relationship or a derivative of the previously dismantled group.

The threat actors responded to the allegations by denying affiliation with Hive claiming that they had simply purchased the group’s source code, which was being offered for sale. They further claimed that they had fixed certain issues within the code, inadvertently causing decryption unavailability in some cases.

Tactics, Techniques, and Procedures (TTPs)

Hunters International is a ransomware group that specifically targets Windows and Linux environments. Upon completing data exfiltration, the group appends a “LOCKED” extension to the encrypted files on the compromised system. Their operations have a global reach and impact a wide array of sectors, including health, automotive, manufacturing, logistics, finance, education, and food.

Latest Japanese Incident

A ransomware attack perpetrated by Hunters International targeted Hoya Corporation, demanding a payment of $10 million in exchange for a file decryptor and to prevent the compromised stolen files from being disclosed.

Hoya is a Japanese company specializing in optical instruments, medical equipment, and electronic components. It operates 160 offices and subsidiaries in more than 30 countries and a network of 43 laboratories worldwide.

Notable IOCs

Blackbyte

First appearing in September 2021, BlackByte acquired the reputation of a poorly coded ransomware, according to experts. Furthermore, the cybersecurity firm Trustwave discovered a vulnerability and used it to develop a free decrypter. The threat actors generally target industries in the energy, agriculture, financial services, and public sectors.

Tactics, Techniques, and Procedures (TTPs)

According to some experts, Blackbyte utilizes a range of tools and techniques to plant their ransomware. The threat actor’s modus operandi includes exploiting unpatched Microsoft Exchange Servers, deploying web shells for remote access, using living-off-the-land tools for persistence and reconnaissance, and employing Cobalt Strike beacons for command and control. They evade defenses through process hollowing and vulnerable drivers, ensure persistence with custom-developed backdoors, and utilize a specialized tool for data collection and exfiltration.

Latest Japanese Incident

The Blackbyte ransomware group targets organizations worldwide, including multiple businesses in Japan. One of the companies they targeted is the U.S. offices of Yamaha Corporation, a leading Japanese manufacturer of musical instruments and audio equipment. The group announced on June 14, 2023 that they had breached the company. Subsequently, on July 21 2023, another ransomware group called Akira added the company to its leaks list.

Prominent Advanced Persistent Threat (APT) groups

In general, the Eastern Asia region witnesses a notable presence of state-sponsored advanced persistent groups, ranging from major North Korean and Russian APTs to others associated with the People’s Republic of China (PRC).

Given its geopolitical positioning and strategic alliances with entities such as QUAD and NATO, Japan has been a target for several APTs, including APT10, APT41, APT29, Fancy Bear and Lazarus Group, and may continue to be under scrutiny by prominent APT groups in the region. Provided below is a brief overview into three of the most pertinent APTs.

APT10

Operating since 2006, APT10 is a cyberespionage group affiliated with the Chinese government, potentially linked to the Chinese Ministry of State Security (MSS). In 2018, the group gained notoriety for infiltrating and pilfering trade secrets and technologies from at least 12 countries. Various security agencies refer to APT10 using different monikers such as MenuPass (FireEye), Stone Panda (CrowdStrike), APT10 (Mandiant), and POTASSIUM (Microsoft).

In an unusual move for an APT group, APT10 was observed employing ransomware attacks as a decoy to mask its malicious activities in June 2022.

Malware, Toolset & TTPs

Attack Methods

APT10 employs a mix of traditional and modern attack methods, including spear-phishing and supply chain attacks. Since 2009, the group has used LNK files and files with double extensions in spear-phishing attacks. Notably, starting in 2017, APT10 initiated hacking through global service providers, leveraging sophisticated supply chain attacks to access victims’ networks.

The group employs DLL hijacking/side-loading, process hollowing techniques, and has utilized trending flaws like ProxyLogon and ProxyShell in Exchange Servers. A significant deviation was observed around mid-2022 when APT10 used ransomware as a decoy to conceal espionage-related activities.

Malware and Tools

APT10 utilizes a variety of malware, including information stealers like ScanBox, RATs such as Quasar, PlugX, P8RAT, and PoisonIvy, as well as backdoors like BugJuice (RedLeaves), SodaMaster, Hartip, SnuGride, HayMaker, and Uppercut. Loaders like HUI Loader, Ecipekac, FYAnti, and trojans like Impacket.AI and ChChes are also part of their arsenal. Additionally, ransomware strains like Rook, Pandora, AtomSilo, LockFile, and Night Sky have been attributed to APT10. APT10 employs a diverse set of tools, including AdFind, certutil, Cobalt Strike, Ecipekac, esentutl, Mimikatz, PsExec, PowerSploit, Wevtutil, tcping, Ntdsutil, Csvde, and pwdump.

Attribution

APT10 is strongly linked to Chinese state agencies, aligning its operations with Chinese national interests. The group was involved in cyberattacks during the 2018 Olympics, and code fragments in the Olympic Destroyer malware were traced back to APT10. Intrusion Truth, in September, reported APT10’s association with the Chinese intelligence agency, particularly China’s Ministry of State Security (MSS). Two Chinese individuals, Zhu Hua and Zhang Shilong, were charged in 2018 for breaking into the networks of over 45 technology firms and U.S. government agencies, revealing further ties to APT10.

In 2020, Symantec uncovered APT10’s campaign targeting Japanese organizations. In April 2022, APT10’s activities intersected with another threat group named TA410, using an upgraded version of malware called JollyFrog, further suggesting a connection between the two.

Notable Activity against Japan

Between 2022 and 2024, APT10 launched attacks on Japanese targets, primarily political institutions, using phishing emails bearing LODEINFO Fileless Malware. Over time, and especially in 2023, this malware evolved through multiple iterations, incorporating sophisticated remote code execution and detection evasion techniques.

IOCs

• 01b610e8ffcb8fd85f2d682b8a364cad2033c8104014df83988bc3ddfac8e6ec
• 056c0628be2435f2b2031b3287726eac38c94d1e7f7aa986969baa09468043b1
• 062ce400f522f90909ed5c4783c5e9c60b63c09272e2ddde3d13e748a528fa88
• 0b452f7051a74a1d4a544c0004b121635c15f80122dc6be54db660ceb2264d6f
• 0ec48b297dd1b0d6c3ddd15ab63f405191d7a849049feedfa7e44096c6f9d42a
• 20fc3cf1afcad9e6f19e9abebfc9daf374909801d874c3d276b913f12d6230ec
• 2317d3e14ab214f06ae38a729524646971e21b398eda15cc9deb8b00b231abc3
• 2417da3adebd446b9fcb8b896adb14ea495a4d923e3655e5033f78d8e648fcc8
• 37f56127226ce96af501c8d805e76156ca6b87da1ba1bb5d227100912f6c52d9
• 3aa54e7d99b69a81c8b25ab57aeb971644ed0a206743c9e51a80ec1852f03663
• 3ff2d6954a6b62afb7499e1e317af64502570181fd49ac5a74e2f7947e2e89db
• 4f6a768841595293146ca04f879efa988e4e95ce0f2bc299cb669fea55e78b65
• 5269db6b19a1d758c75e58ee9bbf2f8fd684cfedbfe712d5b0182d7bbd3a1690
• 5bc68df582c86c884b563b15057cc223f2e9bc1022ebb297e32a9a7e3036228b
• 6b4692029f05489ecda10e11cfacfc3b19097856b88647d3695f3bdc7dd83ce9
• 7b581c0305c78f28bad60028c63e852dc34fc9e28f39e4b0af73d80c1d9680c9
• 83030f299a776114878bcd2ade585d97836ef4ddb6943cb796be2c88bcb83a83
• 90a03dabfc4e56a12cc3bac5cbe991db044b900a01ec341803c864506e467ffa
• 9917a2213f114e87745867e5fea6717efd727d7c08fdc851969224be2f0e019b
• 9b5f9ff82ed238bcbd83628ed3ec84988dc05f81cec9e45a512fbd2c8ac45c33
• adfe177ade7d9bfe4df251a69678102aec1104a4ba9f73032dd90aba76d8bdd9
• b76fde584f87c88bdd21fab613335ce7fc05788aa4bb3191d1517ec16ef4d11a
• ce45af43dd2af52d6034e981515474147802efdfe036e00078fee29a01694fd6
• d461347388ccf0c2008332a1674885a41f70b94b2263bddef44e796d3b1b43b5
• df993dca434c3cd2da94b6a90b0ae1650d9c95ea1d5f6a5267aca640d8c6d00e
• ee46e714660f7652502d5b3633fae0c08c8018f51cfb56a487afd58d04dd551a
• fe33fdd5a63fee62362c9db329dde11080a0152e513ef0e6f680286a6a7b243f
• 88[.]198.101[.]58
• 168[.]100.8[.]38
• 179.106[.]224
• 179.77[.]72
• 104.112[.]218
• 182.116[.]25
• 76.197[.]236
• 76.222[.]130
• 77.183[.]161

APT41

Like other Chinese espionage factions, the targeting strategies of APT41 align predominantly with China’s Five-Year economic development plans. This group has effectively established and maintained strategic access to organizations operating within the healthcare, high-tech, and telecommunications sectors. Although APT41 primarily focuses on financially motivated activities within the video game industry, they have also exhibited operations targeting higher education, travel services, and news/media firms, suggesting a broader surveillance agenda.

APT41’s financial pursuits within the video game industry include manipulating virtual currencies and even attempting ransomware deployment. The group demonstrates proficiency in navigating targeted networks, seamlessly transitioning between Windows and Linux systems to gain access to game production environments. Subsequently, they pilfer source code and digital certificates, utilizing the latter to sign malware. Furthermore, APT41 leverages its access to production environments to inject malicious code into legitimate files, later distributed to unsuspecting victim organizations. These supply chain compromise tactics are indicative of APT41’s prominent espionage campaigns.

Interestingly, despite the complexity and scale of supply chain compromises, APT41 restricts the deployment of follow-on malware to specific victim systems by meticulously matching individual system identifiers. This multi-stage approach not only ensures targeted malware delivery but also conceals the true scope of their intended victims, a departure from conventional spear-phishing campaigns that often reveal targets based on email addresses.

Tactics, Techniques, and Procedures (TTPs)

APT41 employs sophisticated techniques, notably in financially motivated activities such as software supply-chain compromises. By injecting code into legitimate files, they pose a significant threat to organizations, stealing data and manipulating systems. Utilizing advanced malware, including boot kits, facilitates data extraction without detection.

Their utilization of Lowkey malware and the Deadeye launcher underscores their adeptness at immediate reconnaissance while evading detection. Spear-phishing emails are frequently employed for both cyberespionage and financial endeavors, often tailored to high-level targets using acquired personal information.

Software Tools

According to reports from the United States Department of Health and Human Services, APT41 leverages a variety of software tools for malicious activities:

• BLACK COFFEE: A versatile tool serving as a reverse shell, aiding in enumeration, deletion, and command and control (C2) communications, while employing obfuscation techniques.
• China Chopper: A web shell granting unauthorized access to enterprise networks, facilitating infiltration and operations within targeted systems.
• Cobalt Strike: A commercially available tool enabling the deployment and execution of malicious payloads, allowing attackers to carry out intended actions.
• Gh0st Rat: A remote access tool (RAT) providing unauthorized control over compromised systems and establishing continued access for subsequent malicious activities.
• Mimikatz: A credential dumping tool extracting plain-text Windows account information, facilitating the acquisition of sensitive credentials.
• PlugX: A RAT equipped with modular plugins, offering additional capabilities for exploiting and controlling compromised systems.
• ShadowPad: A modular backdoor commonly utilized by APT41 for command and control communication, enabling remote control of compromised systems and malicious activities.

Lazarus Group

The Lazarus Group, recognized by numerous aliases such as Hidden Cobra, Zinc, APT-C-26, Guardians of Peace, Group 77, Who Is Hacking Team, Stardust Chollima, and Nickel Academy, operates under the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK). In 2017, a joint technical alert (TA17-164A) issued by the U.S. government, based on analyses by the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), identified Hidden Cobra as a “North Korean state-sponsored malicious cyber organization.”

The Lazarus Group’s activities align closely with North Korea’s political interests, with South Korea and the U.S. serving as primary targets. However, the group extends its operations to other countries, including Afghanistan, Australia, Austria, Bangladesh, Belgium, Brazil, Canada, China, France, Germany, Guatemala, Hong Kong, India, Italy, Japan, Mexico, Netherlands, New Zealand, Poland, Russian Federation, Saudi Arabia, Spain, Switzerland, Thailand, Turkey, and the United Kingdom.

Operating on a broader scale than other nation-state threat actors, Lazarus Group’s objectives encompass information theft, financial extortion, espionage, sabotage, and disruption. In addition to engaging in bank robberies, cryptocurrency theft, and ransomware attacks for financial gain, the group selectively targets sectors such as energy, aviation, and defense to acquire strategically significant intelligence.

Malware, Toolset & TTPs

The Lazarus Group has refined its strategy over time, transitioning from initial DDoS operations against diverse organizations to employing a more destructive arsenal of malware and TTPs.

While the group’s attack patterns may vary, they typically follow similar procedures. Lazarus Group meticulously plans sophisticated attacks, conducting thorough reconnaissance on potential victims to ascertain vulnerabilities and optimal attack timings.

Utilizing techniques like spear phishing, supply-chain attacks, waterhole attacks, and zero-day vulnerability exploitation, Lazarus Group gains access to targeted networks and maintains persistence through custom-built malware such as remote access trojans (RATs), backdoors, and botnets.

To evade detection and cover their tracks, Lazarus Group deletes logs and data, deploying malware or ransomware when necessary. In the event of detection, the group acts swiftly to avoid forensic investigations by promptly repackaging malware and altering encryption keys and algorithms.

Known for their aggressive tactics, including employing disk-wiping malware, Lazarus Group focuses on disruption, sabotage, financial theft, and espionage activities. They continuously develop and modify custom malware for operations, utilizing a range of tools including backdoors (Appleseed, HardRain, BadCall, Hidden Cobra, Destroyer, Duuzer), RATs (Fallchill, Joanap, Brambul), and the notorious ransomware Wannacry.

In their attacks, Lazarus Group leverages both zero-day vulnerabilities and known exploits, including vulnerabilities in Adobe Flash Player, Microsoft Office, South Korean local software (e.g., Hangul Word Processor), and the SWIFT financial software.

IOCs

Lazarus Group crypto Ethereum address:

• 0x098B716B8Aaf21512996dC57EB0615e2383E2f96
• 0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B
• 0x3Cffd56B47B7b41c56258D9C7731ABaDc360E073
• 0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1

IoCs of Wannacry

• IP Addresses and Domains
• IPv4 197(.)231.221.211
• IPv4 128(.)31.0.39
• IPv4 149(.)202.160.69
• IPv4 46(.)101.166.19
• IPv4 91(.)121.65.179
• URL hxxp://www(.)btcfrog(.)com/qr/bitcoinpng(.)php?address
• URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html
• URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html?retencion=081525418
• URL hxxp://gx7ekbenv2riucmf(.)onion
• URL hxxp://57g7spgrzlojinas(.)onion
• URL hxxp://xxlvbrloxvriy2c5(.)onion
• URL hxxp://76jdd2ir2embyv47(.)onion
• URL hxxp://cwwnhwhlz52maqm7(.)onion
• URL hxxp://197.231.221(.)211 Port:9001
• URL hxxp://128.31.0(.)39 Port:9191
• URL hxxp://149.202.160(.)69 Port:9001
• URL hxxp://46.101.166(.)19 Port:9090
• URL hxxp://91.121.65(.)179 Port:9001

Hashes 

Hacktivists Groups

The Russia-Ukraine conflict sparked a new wave of hacktivism, with pro-Russian and pro-Ukrainian groups launching cyberattacks against each other’s entities and allies. Some of these groups, while denying official ties, are believed to be aligned with the Russian government. Notably, in addition to Japan’s geopolitical stance with its Western allies, it has an ongoing territorial dispute with Russia over the Kuril Islands.
In the past year, with the ongoing Russia-Ukraine war and the Israel-Hamas escalation since October 2023, there is a growing number of individuals and groups seeking to utilize cyberspace as an additional battleground.

Throughout 2023, dozens of government institutions in Japan were targeted by Anonymous Hacktivist and VulzSec operation named “OpFukushima”, following an International Atomic Energy Agency decision to permit the release of wastewater from the Fukushima Daini Nuclear Power Plant. Additionally, Killnet and NoName057(16) target Japan along with other Western countries and allies, primarily due to their support for Ukraine.

Tactics, Techniques, and Procedures (TTPs)

Typically, among the most prevalent methods of hacktivists are Distributed Denial of Service (DDoS) attacks, which overload target servers with traffic, rendering them inaccessible to legitimate users. Website defacement is another common tactic, involving the unauthorized alteration of a website’s appearance or content to convey a message or disrupt operations. These TTPs enable hacktivists to amplify their voices.

OpJapan Campaign

In late October 2023, amid the Israel-Palestine conflict and following Japan’s declaration of support for Israel, an online hacktivism campaign called OpJapan has emerged. The primary group involved in the campaign was the Pakistan-based “Pakistani Leet Hackers”, claiming affiliation with Anonymous. Another participating group was “GHOSTS of Palestine”. The campaign primarily comprised DDoS attacks on websites of various companies across multiple sectors. The campaign’s last activity was reported in early November 2023, with no new activity observed since.
Some of the campaign’s victims include the economics department of the Israeli embassy in Japan, Lilibet (Japan’s largest online casino), the Atomic Energy Society of Japan, Yahoo Japan, and multiple Japanese-owned government domains.

Cyberint Recommendations

Ransomware Prevention

• Maintain a robust patch management process to ensure that security updates and patches are applied in a timely fashion, securing the low-hanging fruit and preventing known vulnerabilities from being exploited.
• Continuously monitor endpoint security events as an early warning of suspicious behaviour, for example, host-to-host communications indicating lateral movement or high-volume disk operations indicating mass file encryption or exfiltration.
• Consider monitoring for, and alerting on, the anomalous execution of legitimate Windows command line tools such as the use of net.exe, taskkill.exe and vssadmin.exe.
• Limit user permissions according to the principal of least privilege (POLP).
• Secure sensitive data, adhering to any legal or regulatory requirements, to prevent unauthorized access, be that internal or external in origin.
• Utilize application permit and deny lists to prevent the execution of unauthorized or unknown executables, such as those delivered as part of a broader attack.
• Ensure that disaster recovery plans and backup policies consider regular backups, verification of data integrity and offline storage to facilitate restoration in the event of a catastrophic incident.
• Make use of network segregation to limit communications between nodes, especially end-points, to provide damage limitation and limit the propagation of threats.
• Disable administrative tools and script interpreters to prevent misuse by malicious payloads or threat actors.

Phishing detection and mitigation

Cyberint recommends taking a proactive approach of ongoing phishing detection. Alongside the detection, Cyberint advises executing a takedown of the websites on the basis of copyright infringement. Upon request, Cyberint can facilitate the takedown procedure on your behalf.

If the website is part of a broader phishing campaign, Cyberint recommends conducting an investigation. This would help to identify potential vulnerabilities and will enable the implementation of appropriate security measures.

An Ongoing monitoring of Underground Platforms

Cyberint strongly recommend implementing ongoing monitoring of the dark web, hacking forums, and relevant underground platforms frequented by threat actors. This proactive approach is crucial for detecting potential data breaches in a timely manner.

By staying vigilant and monitoring these channels regularly, you can swiftly identify any signs of compromise or unauthorized access to your sensitive information or to third-party vendors of your organization.

Early detection enables prompt response measures, minimizing the impact of potential breaches and safeguarding your organization’s assets and reputation. Cyberint team can gladly support the setting up comprehensive monitoring strategies and implementing robust security measures to mitigate risks effectively.

Multilingual cyber professionals at Cyberint are fully equipped to conduct analysis and investigations on prominent underground forums, encompassing languages such as Chinese, Russian, and others.

Combating Prominent Threat Acting Groups

It is essential to adopt a multi-layered security approach and implement best practices tailored to counteract their sophisticated tactics.

• Ensuring comprehensive network segmentation can limit lateral movement within your infrastructure, making it more difficult for Threat Actors to traverse and access sensitive data.
• Employing robust access controls and least privilege principles helps restrict unauthorized access to critical systems and data.
• Implementing regular security awareness training for employees is crucial to enhance their understanding of Threat Actors tactics, ensuring they remain vigilant against phishing attempts and social engineering tactics.
• Additionally, deploying advanced threat detection and response mechanisms, such as intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions, can aid in early detection and swift response to Threat Actors activity.
• Maintaining up-to-date software patches and conducting regular vulnerability assessments can help close potential entry points for Threat Actors.