- An advanced persistent threat (APT) group has been spotted by Trend Micro.
- Dubbed Earth Krahang, the group has successfully compromised at least one entity in South Africa.
- This is concerning as the group’s primary targets are government entities.
Teams that work on the digital services used by government may want to shore up their cybersecurity as we move into the 2024 elections. This is because a new advanced persistent threat (APT) group is allegedly kicking the doors of ICT infrastructure operated by governments around the world according to Trend Micro.
The cybersecurity company has highlighted the modus operandi of a group it’s calling Earth Krahang owing to its connections to the Earth Lusca group it has warned of in the past. This APT group has a very specific set of targets, namely, governments. The group gains access to government infrastructure and then uses that access to perpetrate more crimes. The group has been operational since early 2022 and it’s rather creative in its attacks.
“One of the threat actor’s favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts,” Trend Micro researchers write.
“Earth Krahang also uses other tactics, such as building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials. These credentials are then used to exfiltrate victim emails, with the group’s ultimate goal being cyberespionage,” they add.
Earth Krahang chooses its targets by scanning public-facing servers operated by governments for vulnerabilities. In some instances, the APT group will simply brute-force directories to search for files that contain sensitive information including user names and passwords. These credentials are then used to launch further attacks in a bid to compromise more entities or infrastructure.
The group also uses spear-phishing tactics to trick government employees into visiting a compromised website or downloading malware. In one instance the group was able to send a malicious attachment to 796 email addresses after compromising just one mailbox operated by a government entity.
“Earth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails. Since the malicious link uses a legitimate government domain of the compromised server, it will appear less suspicious to targets and may even bypass some domain blacklists,” Trend Micro explains.
As of this week, Earth Krahang has compromised or targeted victims in 45 different countries, but as you can see in the image above, it tends to favour countries in the global south.
Other industries Trend Micro has observed being targeted by Earth Krahang include:
- Finance/Insurance,
- Foundations/NGOs/Thinkthanks,
- Healthcare,
- IT,
- Manufacturing,
- Media,
- Military,
- Real estate,
- Retail,
- Sports,
- Tourism.
“Given the importance of Earth Krahang’s targets and their preference of using compromised government email accounts, we strongly advise organizations to adhere to security best practices, including educating employees and other individuals involved with the organization on how to avoid social engineering attacks, such as developing a healthy skepticism when it involves potential security issues, and developing habits such as refraining from clicking on links or opening attachments without verification from the sender,” the cybersecurity firm advises.
“Given the threat actor’s exploitation of vulnerabilities in its attacks, we also encourage organizations to update their software and systems with the latest security patches to avoid any potential compromise,” it continues.
As Trend Micro highlights in its report, South Africa hasn’t just been a target, an Earth Krahang attack has compromised at least one entity, and that’s going to keep us up tonight. It’s not clear whether the victim or victims were a government entity or some other organisation from the list above, but success for the group will inspire it to pursue other targets.
We hope that the government heeds the warning issued by Trend Micro as there is a tendency for departments to be hacked and Earth Krahang looks to be a ruthless adversary.
