Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cyber-Espionage Group StrongPity Focuses on Kurdish Community

Recent attacks associated with the threat actor known as StrongPity appear to focus on the Kurdish community in Turkey and Syria, Bitdefender security researchers say.

Recent attacks associated with the threat actor known as StrongPity appear to focus on the Kurdish community in Turkey and Syria, Bitdefender security researchers say.

Active since at least 2012 and also tracked as Promethium, the threat actor was initially detailed in 2016, when it mainly focused on victims in Italy, Turkey, and Belgium. The group is believed to be state-sponsored, but there appears to be little evidence to support that.

Despite the publishing of several reports detailing its activities, the threat actor remains active and continues to target victims in various regions, including Colombia, India, Canada and Vietnam, Cisco Talos reveals. Despite that, however, most of the group’s victims are located in Turkey, says Bitdefender.

The group’s tools, tactics, and procedures (TTPs) saw few changes over the past four years, and it continues to rely on trojanized installers of well-known applications to infect its victims. Furthermore, the actor appears to continue relying on watering hole attacks.

StrongPity is known to engage in cyber-espionage, and the recently observed campaigns are no different. However, the adversary appears to have expanded its operations to new regions, past the previously targeted Europe, Northern Africa and the Middle East geographies.

Over the past year, the threat actor has been conducting at least three different campaigns, which are believed to be overlapping. Furthermore, some of the domains used in these attacks still receive hits, suggesting that they continue to be an active infection vector.

Since July 2019, the group has used four new trojanized applications, namely the Firefox browser, the VPNpro VPN client, the DriverPack driver collection, and the 5kPlayer media player, all signed with a self-signed certificate.

The threat actor’s main malware has been updated with new methods of sending requests to the command and control (C&C) server, new persistence mechanism, and a new location for storing the dropped files.

Advertisement. Scroll to continue reading.

Since late 2019, Bitdefender has observed numerous attacks focusing on victims in Istanbul and close to the Syrian border, which led to the assumption that the Kurdish community is being targeted. However, StrongPity has been observed targeting victims in the region before.

In one campaign, the observed samples all have creation timestamps after October 1, 2019, the date Turkey launched its offensive into northeastern Syria.

“While there is no direct forensic evidence suggesting that the StrongPity APT group operated in support of Turkish military operations, the victim’s profile coupled with the timestamps on the analyzed samples make for an interesting coincidence,” Bitdefender cybersecurity analyst Liviu Arsene points out.

During their investigation into the attacks, Bitdefender’s security researchers discovered that the adversary uses a 3-tiered C&C infrastructure, to remain undetected, and that victims are selectively targeted using pre-defined IP lists.

The list of identified trojanized applications leveraged in the observed attacks includes 7-zip, WinRAR, McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities, and RAR Password Unlocker.

An analysis of the compilation time of the tampered installers revealed a 9 to 6 working schedule from Monday to Friday, in the UTC+2 time zone, which further enforces the assumption that the actor might be state-sponsored.

“The PROMETHIUM threat actor is dedicated and resilient. After first being documented, they changed their toolkit but not their techniques or procedures. Since then, their toolkit has been the same, with just enough updates to keep their activities as efficient as possible. During this period, the victimology has expanded behind their initial focus in Europe and Middle East to a global operation targeting organizations on most continents,” Talos notes.

Related: StrongPity Targets Victims with Malicious WinBox Installer

Related: Internet Provider Redirects Users in Turkey to Spyware: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.