Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970
Contents
Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. Mandiant suspects UNC2970 specifically targeted security researchers in this operation. Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against Endpoint Detection and Response (EDR) tools.
UNC2970 is suspected with high confidence to be UNC577, also known as Temp.Hermit. UNC577 is a cluster of North Korean cyber activity that has been active since at …
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. Mandiant suspects UNC2970 specifically targeted security researchers in this operation. Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against Endpoint Detection and Response (EDR) tools.
UNC2970 is suspected with high confidence to be UNC577, also known as Temp.Hermit. UNC577 is a cluster of North Korean cyber activity that has been active since at …
IoC
05b6f459be513bf6120e9b2b85f6c844
300103aff7ab676a41e47ec3d615ba3f
30358639af2ecc217bbc26008c5640a7
3bf748baecfc24def6c0393bc2354771
41dcd8db4371574453561251701107bc
49425d6dedb5f88bddc053cc8fd5f0f4
866f9f205fa1d47af27173b5eb464363
8c597659ede15d97914cb27512a55fc7
91b6d6efa5840d6c1f10a72c66e925ce
a2109276dc704dedf481a4f6c8914c6e
a9e30c16df400c3f24fc4e9d76db78ef
abd91676a814f4b50ec357ca1584567e
e97b13b7e91edeceeac876c3869cc4eb
f910ffb063abe31e87982bad68fd0d87
http://abba-servicios.mx/wordpress/wp-content/themes/config.php
http://ajayjangid.in/js/jquery/jquery.php
http://crickethighlights.today/wp-content/plugins/contact.php
http://doug.org/wp-includes/admin.php
http://leadsblue.com/wp-content/wp-utility/index.php
http://mantis.quick.net.pl/library/securimage/index.php
http://olidhealth.com/wp-includes/php-compat/compat.php
http://sede.lamarinadevalencia.com/tablonEdictal/layout/contentLayout.jsp
http://toptradenews.com/wp-content/themes/themes.php
http://webinternal.anyplex.com/images/query_image.jsp
http://www.fainstec.com/assets/js/jquery/jquery.php
http://www.keewoom.co.kr/prod_img/201409/prod.php
http://www.ruscheltelefonia.com.br/public/php/index.php
300103aff7ab676a41e47ec3d615ba3f
30358639af2ecc217bbc26008c5640a7
3bf748baecfc24def6c0393bc2354771
41dcd8db4371574453561251701107bc
49425d6dedb5f88bddc053cc8fd5f0f4
866f9f205fa1d47af27173b5eb464363
8c597659ede15d97914cb27512a55fc7
91b6d6efa5840d6c1f10a72c66e925ce
a2109276dc704dedf481a4f6c8914c6e
a9e30c16df400c3f24fc4e9d76db78ef
abd91676a814f4b50ec357ca1584567e
e97b13b7e91edeceeac876c3869cc4eb
f910ffb063abe31e87982bad68fd0d87
http://abba-servicios.mx/wordpress/wp-content/themes/config.php
http://ajayjangid.in/js/jquery/jquery.php
http://crickethighlights.today/wp-content/plugins/contact.php
http://doug.org/wp-includes/admin.php
http://leadsblue.com/wp-content/wp-utility/index.php
http://mantis.quick.net.pl/library/securimage/index.php
http://olidhealth.com/wp-includes/php-compat/compat.php
http://sede.lamarinadevalencia.com/tablonEdictal/layout/contentLayout.jsp
http://toptradenews.com/wp-content/themes/themes.php
http://webinternal.anyplex.com/images/query_image.jsp
http://www.fainstec.com/assets/js/jquery/jquery.php
http://www.keewoom.co.kr/prod_img/201409/prod.php
http://www.ruscheltelefonia.com.br/public/php/index.php