Rewterz Threat Alert – Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
July 25, 2019Rewterz Threat Alert – TA505 Impersonates Airlines
July 26, 2019Rewterz Threat Alert – Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
July 25, 2019Rewterz Threat Alert – TA505 Impersonates Airlines
July 26, 2019Severity
High
Analysis Summary
Since at least 2010, the IRON LIBERTY threat group (also known as TG-4192, Energetic Bear, Dragonfly, and Crouching Yeti) has targeted the energy sector with a particular focus on industrial control systems (ICS). Following public disclosures in 2014, the likely Russian government group became less visibly active, but by 2016 it resumed operations with a combination of new and old techniques and tools.
Impact
Credential theft
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 00a1b9fd9af9c5e366ef19908f028e9cca0462ec16adab9763e8c8b017b0f6bc
- 172be9ebd26946bdfe19150e304c8abd59d43a7bf92afa270f028c9a4a29fd99
- 18a4ab7f7783c06d6fd782908f8495e7c1ea15fa
- 195ec5fb2d5ccd344b655a955f20db81
- 1fd5b0b1a218b65443d7088e47dd79018bf46935375b061f5f78fbe1cadb50dc
- 20d20c9dda1f922786f95132eb64753b38f7db695d29a7b9993b880e44043b59
- 20ec7658254eddd917e1b351e1728534
- 2618ab729dea68dfbcb11dce2e66c8c2
- 2a876d27689a4947e01c785b42c45c09788ee4d4
- 2dbdeef42699730635abdc657775e4af
- 3019f121e6cc3a955c1a8005fd78328ab7c1d479
- 336b6f0108a23b95f3141afc787a31dd
- 3a7927fa71d43e3856761f2bf7d5441e6b310e30
- 418e58b78731546089eb1b7fa6e1d99f
- 425346c68fa8e113c4e243d1193c050548839c86
- 47a3f4fbe7984e3ae3d2088e2898bea371a0aeaee8fca6a6b6d59d6e938393fa
- 4877050e41f269bab1013649f747f1bd2a1f53e07825c21778f4b1a9a882c7bb
- 4ad06a76e1ad423b13e03587a887ede0
- 4af90d010586d7153345dc563722cdb12fd607e1
- 4ff23bc0b3a0fc08ac9f6bd7bbff73a15dc00d8e
- 5179d5874383b3c6a45350f77e86098ae7be606df490afbd57d98bed8e3bc2cd
- 53a4eae9858f4876fde02f7666ef6e0f69e8f70b
- 581fccf4766b23fbff924ce932b7d717
- 6449cff2a0497cae0c3fb780da287e2c
- 644ccf37af908d79da496c06b85b9060550149d9
- 656fe7c362b7421d5e94ab186e0beca01c00b55eecefa25270805fca6ad96d9a
- 6851cbfa790eb56b68942ee86a045c36
- 6cd47d4c2fd8997683baa1f278d2dd94
- 79c110e585934cd3756a5a7a259329eac4c6550c
- 7aa8cd8a2669537631b8ac7b892f51d4c74056c1369007c474277ebdf82fb74e
- 7b2c9bb78867319e8d907c48eb24e51dffc6a81edf5166dc4409ed07227402f3
- 7f3511b7e6cad7274c2450afd88544910c0ae33b
- 874295e9512c668a7df493c8975c081b
- 8aaa1b931610122a1908d9bfe1806881b430b57462a2147d403bb495183bd592
- 8aeacf3fde1b49940fb4d08226dccbc4
- 8b8b33a14f7be027fdb1aec1555fa8a8
- 8c5e6df90795fbbb3f6396abfe05887d4ad82982
- 94a1ec29f5d55edc67eee98ea086e4dbc98e5a56
- 95ba7f7b073bbf60f85d4c7b1bd76adfec8299aa
- 990e2e3ab8e2c8126214e667b0dc282f
- 9a1a196f6f5afa19643856cf8545b3401fc2dae8f79ec08a32456b3e9f8bbdbd
- 9d994710941540fe6bdf43196679b6a667f6370f1aa9b538836a509f4e4c42c4
- a35ace92645e8a62536031784f60679200252a2a4ec1dc287f93797be34dfed2
- ade68f4e5b03c6cf86b851613dbc3629
- adf809c93f6bc1f758e7e3a4aeeb39d00e34e762ac4ff48dce59de5efb0f80fd
- c605a771730cc618f2f85a8bee9d9cbdabc6f5f47d803976b4923f64f9aea282
- ca2776624f2e0c1b1b478c77f63cf5ed1075b62a
- da6f24b1bf61ad233ac9bf6709951db57c59ad2e
- da97e4cda8eeef12c6540c6b060451a1369b7638
- de0d3aaee6254074222d9bdf35fa67218d9738f05e1dfb75173cf982c03a0811
- e644771565fb2144d018e8ce89fa116fc7e564007f941ce712fa5f929b86e338
- f65425f95d84bd7efc71e402f40e59542bdd83db
- fd6145bbc722ef52eed6b94dd520170c
- fca1fa07afa1b3ff9f67f2a377de51ae
- fd6145bbc722ef52eed6b94dd520170c
- fff6dc1216fe549fa1d700f1ccfcd754
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.