Vertical Target Series: Technology, Telecommunications and Academic and Educational Services

Critical infrastructure verticals such as technology and telecommunications, as well as academic and educational services, are attractive targets for cybercriminals and advance persistent threat (APT) groups. These organizations, such as IT services, fintech, universities, professional education institutes, and more, are often targeted by both cybercriminals and APT groups due to the sensitive data these organizations maintain that could help other government bodies. Targeting organizations within these verticals could also lead to potentially negative societal impacts, including the privacy compromise of minors in the education system, as well as the decline of political and economic confidence. Ransomware operators frequently target these verticals because these organizations have valuable information, including the personally identifiable information (PII) of minors, parents, and staff, connections to other organizations that can be exploited in a supply chain attack, and the inability for these types of organizations to have a significant amount of downtime.

 

This blog leverages the Adversary Risk Matrix developed by Optiv’s Global Threat Intelligence Center (gTIC) - a multi-faceted, qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The matrix considers known and assessed non-technical capabilities and intentions. Please see our white paper for the full report.

 

 

Technology

The technology vertical includes technology equipment, software and IT services, and financial technology and infrastructure. Technology organizations are a frequent target for threat actors—including both cybercriminal and APT groups—due to the valuable data they contain including PII and intellectual property (IP). Technology organizations hold sensitive information, such as personal data, personal and corporate card data, access credentials. Additionally, technology companies, including MSSPs and service providers, typically have access to client environments—making technology companies an attractive target for supply chain attacks. Threat actors could gain access to hundreds or thousands of organizations as a result of a single intrusion. Three APT groups observed targeting the technology vertical include APT39 (Chafer, Cobalt Hickman, Radio Serpens, Remix Kitten), Lazarus Group (Labyrinth Chollima, Zinc, Hidden Cobra, Diamond Sleet), and Volt Typhoon (Bronze Silhouette, Vanguard Panda).

 

Volt Typhoon

Volt Typhoon is an APT group that has been attributed to the Chinese government and has been active since 2021. The group has been observed targeting critical infrastructure organizations in the U.S. and Guam. The group is believed to conduct espionage campaigns and maintain persistent access to victim environments for as long as possible. While the Volt Typhoon group is purported to only have been active since 2021, there is an Even Chance that the group has been active for a longer period of time. APT groups attributed to China have been observed sharing infrastructure and tooling, indicating that Volt Typhoon could have been active under another group or moniker prior to 2021.

 

  • In 2023, Volt Typhoon was attributed with exploiting vulnerabilities in Fortinet FortiOS products to gain initial access to victims’ environments. The goal of the attacks was to purportedly gather sensitive information that would be of strategic interest to the Chinese government.

 

Image
Vertical_Target_Series_Technology_img3.PNG

Figure 1: Threat Actor Metric for Volt Typhoon

 

MalasLocker

The MalasLocker ransomware operation was first observed in April 2023. The group participates in double extortion methods and maintains a data leak site where victim’s information is leaked if the ransom is not paid. The group claims to show disdain for corporations and socio-economic inequality. Rather than demand a ransom like other operations, the group claims that they will provide a decryption key to victim organizations that donate to a MalasLocker-approved charity. The operators target Zimbra servers and upload suspicious JSP files to specific directories. The initial access vector is not known at the time of writing.

 

Of the 171 victims listed on the MalasLocker data leak site from January 1, 2023 - December 15, 2023, 57 of them (33%) are in the technology vertical.

 

  • In May 2023, MalasLocker named 49 technology organizations (excluding telecommunications companies) on their data leak site. The posts included a .txt file of purportedly encrypted files. The posts did not appear to contain any screenshots of the purported data or the victim environment.

 

 

Telecommunications

The telecommunications vertical has been increasingly targeted by threat actors. This is likely because people use a growing number of mobile devices to store and process both personal and corporate data, as well as activate multi-factor authentication. This vertical includes both internet and cellular service providers, and the vertical plays a critical role in facilitating global communications. As organizations become more connected, it is Likely that threat actors will continue to target organizations within this vertical. Telecommunications organizations are often targeted for espionage attacks, technology theft, and data harvesting campaigns. Three APT groups observed targeting the telecommunications vertical are APT34 (aka Europium, Hazel Sandstorm, OilRig, Chrysene), APT27 (aka Budworm, Emissary Panda, Threat Group-3390, LuckyMouse), and APT39 (aka Chafer, Cobalt Hickman, Radio Serpens, Remix Kitten).

 

APT34

APT34 (aka OilRig, Helix Kitten) is an Iranian state-associated threat group that has been in operation since at least 2014. However, attacks attributed to them date back to 2012. The group has targeted several organizations and is most commonly known for sophisticated social engineering scams designed to enable initial access. The group’s motivation is believed to be establishing access to target networks that can be used at a later date, conduct supply chain compromise, and move laterally to other targets. APT34 has also been associated with destructive wiper attacks against the energy and ICS industries. APT34 relies on stolen account credentials for lateral movement.

 

  • In 2020, APT34 reportedly targeted an organization in the Middle East with the RDAT malware. The attacker’s goal was purportedly to maintain persistent access and steal sensitive information.
  • In 2023, APT34 was attributed with phishing attacks targeting organizations in the Middle East to deploy the Menorah malware. The group’s goal was to reportedly steal sensitive information.

 

Image
Vertical_Target_Series_Technology_img10.PNG

Figure 2: Threat Actor Metric for APT34

 

BianLian

BianLian is a ransomware written in Google’s Go programming language. BianLian has been active since at least July 2022. The operators are not as active as some of the more prolific groups, such as LockBit, Alphv, and Black Basta. The operators do participate in double extortion and maintain a data leak site. BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors.

 

Of the 194 victims listed on the BianLian data leak site from January 1, 2023 - December 15, 2023, 5 of them (2.6%) are in the telecommunications vertical.

 

  • In April 2023, BianLian named Commerce Pundit on their data leak site and claimed to have stolen 400GB of data. The data reportedly included human resources documents, financial data, and more. The post includes 199 .zip links to purportedly stolen data.
  • In September 2023, BianLian named Smartfren Telecom on their data leak site and claimed to have stolen 1.2TB of data from the organization. The group claimed the information included financial data, technical data, and more. The post includes 917 files for download that contain purported stolen data.

 

Image
Vertical_Target_Series_Technology_img14.PNG

Figure 3: Threat Actor Metric for BianLian Ransomware

 

 

Academic and Educational Services

The academic and educational services vertical includes public and private school districts, primary and secondary schools, universities, and professional and business education services and providers. Despite many defensive frameworks and policies that academic and educational services institutions have adopted to improve security, institutions in this vertical remain an attractive target for threat actors due to the high-value information and critical nature of these organizations. Often the goal of state-sponsored attacks targeting these organizations is for strategic gain by collecting sensitive intellectual property, such as research or stealing credentials for future malicious activities. Three of the APT groups observed targeting the education vertical are Mustang Panda (aka Bronze President, Camero Dragon, Stately Taurus, TA416), Deep Panda (aka KungFu Pandas, Pink Panther, Shell Crew), Earth Lusca (aka Aquatic Panda, Bronze University, Charcoal Typhoon, Chromium).

 

Mustang Panda

Mustang Panda (aka Bronze President, HoneyMyte, TEMP.Hex) is a China-linked APT group that has been active since at least 2014. The group is notable for their social engineering attacks using lure documents related to current global events, including the Russia-Ukraine war, COVID-19, and human rights conditions in China. Mustang Panda is known for using both open-source and custom malware variants.

 

  • In 2022, Mustang Panda was attributed with launching spear-phishing attacks to target organizations. The phishing emails included embedded links that victims could click to download the custom malware.

 

Image
Vertical_Target_Series_Technology_img15.PNG

Figure 4: Threat Actor Metric for Mustang Panda

 

Rhysida

Rhysida is a RaaS group that was first observed in May 2023 and gained notoriety in May 2023 after launching an attack against the Chilean army. The U.S. Department of Health and Human Services indicates that the name, “Rhysida,” refers to the Rhysida Longpipes centipede genus, which is also displayed on their data leak site.

 

Of the 73 victims listed on the Rhysida data leak site from January 1, 2023 - December 15, 2023, 23 of them (31.5%) are in the academic and educational services vertical.

 

  • In May 2023, Rhysida targeted Oklahoma’s Northeastern State University (NSU) and named the university on their data leak site in June 2023. NSU temporarily disabled their network—preventing students from accessing the school network or accessing electronic grades.
  • In November 2023, Rhysida named Bangkok University on their data leak site and claimed to have stolen 180GB of data. The post included screenshots of student IDs and financial data, as well as the statement that that they had uploaded 60% of the stolen data.

 

Image
Vertical_Target_Series_Technology_img18.PNG

Figure 5: Threat Actor Metric™ for Rhysida Ransomware

 

Outlook

Despite high-profile ransomware incidents and government/law enforcement attention on ransomware operations and facilitators, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2023 and are assessed to focus on continuing to build infrastructure and capabilities around themselves as a one-stop shop with less reliance on marketplaces and forums.

 

Optiv’s gTIC assesses with Moderate Confidence that state-sponsored adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months. Although the overall probability of a targeted state-sponsored attack across all verticals and organizations is Unlikely, these verticals have a historical record of being targeted by state-sponsored APT groups. For a full report, please see our white paper.

Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?