|
At least 40 advanced persistent threat (APT) groups have trailed their sights on several European countries over the years, and that isn’t surprising, given that the continent serves as the headquarters of renowned international organizations like the European Union Agency for Law Enforcement Cooperation (Europol), INTERPOL, and the North Atlantic Treaty Organization (NATO).
In response, the WhoisXML API research team recently analyzed six APT groups that have targeted European countries in a bid to identify as many threat artifacts as possible.
Download our white paper “A Study of APT Groups Known for Targeting European Countries” to explore our complete insights that leverage comprehensive WHOIS and passive DNS data.
Our latest APT group report, this time focusing on malicious actors hoping to spy on nations and organizations based in Europe, features six groups—APT28, BackdoorDiplomacy, Kimsuky, MoustachedBouncer, Muddy Water, and ToddyCat.
We began our study by looking for APT groups that launched campaigns against European countries and institutions. Forty such groups were listed on the MITRE ATT&CK page, which were filtered using two criteria:
WHOIS History API queries were then performed for the APT groups for which domains were identified as indicators of compromise (IoCs) to look for email addresses in their historical WHOIS records. Email addresses tagged as IoCs for some of the groups were added to the final lists.
To obtain insightful email-connected artifacts, we separated the public from privacy-protected email addresses and queried the public ones on:
That left us with a final list of six APT groups for our study. After obtaining email artifacts for the groups, we used Screenshot API to determine if any of the connected artifacts remained accessible.
Finally, we looked deeper into four APT groups for which IP addresses were named as IoCs using data from Premium DNS Database.
Our study of the six APT groups targeting Europe yielded these findings:
Get a glimpse of an extract from our white paper showcasing our findings for BackdoorDiplomacy.
BackdoorDiplomacy, an APT group believed to be based in China, has been around since at least 2017. While it most recently targeted Southeast Asian governments using an upgraded version of the EAGERBEE malware, it also went after foreign affairs ministries and telecommunications companies in Europe, Africa, the Middle East, and Asia in 2021.
Jumping off 14 domains identified as IoCs for the group’s latest attack, we found 39 email addresses in their historical WHOIS records, 10 of which turned out to be public. Reverse WHOIS searches for these email addresses led to the discovery of:
Pivoting off 38 IP addresses tagged as IoCs, meanwhile, Premium DNS Database enabled us to find 14,318 FQDNs under 1,071 root domains. Note, too, that these FQDNs were last visited between August 2023 and July 2024.
Want to check out all findings of our study? Download our complete white paper “A Study of APT Groups Known for Targeting European Countries” now.
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global