In a recent study released last week by the NCC Group and its affiliate Fox-IT, the two companies said that the intrusions of the group were larger than what was originally believed- even targeting the airline sector besides the superconductor industry. This spanning was not limited to Asia but was done for assorted geographical areas as well. They also cited that in several cases, actors had been cloaking within networks for more than three years before they were identified.
The attack on the superconductor industry of Taiwan was targeted at stealing intellectual property, although the target was different in the case of the airline industry. The companies further alleged that the actors wanted to gather Passenger Name Record (PNR) for which they were targeting the victims. With further investigation, the companies observed that the assorted custom DLL files were continuously used to extract PNR information from the memory structures where the main data is generally stored.
"NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020," added the two companies.
The report provided by NCC and its affiliate Fox-IT states the modus operandi of the actors whose first step is to collect data like the user login credentials which would be leaked in the public domain or the dark web after the data breach has occurred at other companies. This collected data is later used by the actors for ‘credential stuffing’ and ‘password spraying’ attacks against the target’s personnel accounts, as the email account.