Η Kaspersky managed to identify after two years one APT team, which had been reported in their leak Shadow Brokers the 2017.
2017, a hacking team known as Shadow Brokers, published a "data dump" called “Lost in Translation”.
The data dump contained several exploits and hacking tools, which are hackers had been stolen by the NSA. One of the most famous exploits, posted, is EternalBlue, used for WannaCry, NotPetya and Bad Rabbit ransomware, in disaster attacks of 2017.
The "data dump" also contained a file named sigs.py.
Her hackers NSA used this file as one malware scanner to scan the infected computers. Nouns, scanned computers to search for other APTs (this term is usually used to describe state hacking teams).
The sigs.py script was able to detect 44 other APTs. Many of these groups were unknown in the industry security in cyberspace 2017 (when the leak happened). This means that the NSA had an important tool in its hands that could detect and track activities many dangerous APT groups.
However, Kaspersky published one last month report, in which he reports that he managed to locate one of the mysterious APT teams.
The researchers called the group "DarkUniverse"And said that these hackers were active from 2009 to 2017. After the ShadowBrokers leaked, their tracks were lost.
“The suspension of their activities may be related to the publication of 'Lost in Translation'. They may still have decided to switch to more modern approaches, "Kaspersky said.
20 victims in Africa, Europe and the Middle East
The victims were mainly politicians and military organizations, medical institutions, atomic energy providers and telecommunications companies.
However, Kaspersky experts are sure that the actual number of victims is much higher.
About DarkUniverse malware framework, researchers found overlapping code with malicious software ItaDuke / APT, which has been used to attack Uighurs and Tibetans minorities.
However, it is not certain if DarkUniverse's malware comes from Chinese hackers. More information is needed.
According to Kaspersky researchers, the DarkUniverse malware framework is a typical trojan that allows remote access access, but it is particularly advanced and dangerous. In the picture below you can see its capabilities.