State hackers (government-backed hackers) use a number of tools to accomplish this attacks on telecommunications providers and IT companies in South Asia.
According to her researchers Symantec, who located the hacking group, the target of the attacks is the collection information through highly targeted espionage campaigns to telecommunications providers, IT companies and government entities.
The group was named by researchers Harvester. Researchers have never seen the tools used by the team, which means it's a new team that has nothing to do with other known hackers.
According to Symantec, the Harvester team is using it in its attacks custom malware and tools that one finds in public. The attacks started in June 2021 and the most recent activities were located in October 2021. As we said above, the specific state hackers mainly target telecommunications providers, government agencies and IT companies.
But how did the investigators find out that this is a government-backed group (state hacking group)?
"The capabilities of the tools, the custom development and the selection of the victims all suggest that the Harvester team is a nation-state-backed team.", Say the researchers.
Some of the tools that the Harvester team uses in its attacks:
- Backdoor.Graphon - custom backdoor that uses Microsoft infrastructure for C&C activity
- Custom Downloader - uses Microsoft infrastructure for C&C activity
- Custom Screenshotter - captures screenshots in a file
- Cobalt Strike Beacon - uses the CloudFront infrastructure for C&C activity (Cobalt Strike is an off-the-shelf tool that can be used to execute commands, enter other processes, upload and download files, etc.)
- Metasploit - an off-the-shelf modular framework used for various malicious activities: privilege escalation, screen capture, backdoor installation and more.
Symantec researchers have not yet discovered how the victims' machines were originally infected. However, there are some indications that a malicious URL is being used for this purpose.
Then, with the help of the above tools, cyber criminals manage to steal important data from the target machines.
Symantec warns that state-owned Harvester hackers are still active, targeting mainly telecommunications providers and IT companies in Afghanistan (currently).
Although the researchers were able to test the new team's tools, they still do not have enough data to attribute the hacking activity to a particular government.
Source: Bleeping Computer