Technical
perspectives
Based
on
the
arsenals
and
TTPs,
we
believe
Earth
Yako
may
be
related
to
a
number
of
existing
groups.
However,
since
we
could
only
observe
partial
technical
overlaps
between
Earth
Yako
and
the
following
groups,
we
note
that
this
is
not
our
final
attribution.
We
found
the
overlaps
similar
with
the
following
groups:
1.
Darkhotel
Darkhotel
(a.k.a.
DUBNIUM)
is
a
threat
actor
observed
to
frequently
target
Japanese
organizations
in
the
past.
Earth
Yako’s
method
for
initial
access
is
similar
to
the
procedure
used
by
Darkhotel,
which
has
been
confirmed
in
other
reports.
2.
APT10
APT10
(also
known
as
menuPass,
Stone
Panda,
Potassium,
Red
Apollo,
CVNX,
and
ChessMaster)
is
a
threat
actor
that
has
been
actively
attacking
organizations
in
Japan,
especially
from
2016
to
2018.
Trend
Micro’s
analysis
has
confirmed
that
Earth
Yako’s
MirrorKey
malware
uses
the
same
encryption
routine
as
the
one
used
by
APT10
malware
families
RedLeaves
and
ChChes
in
the
past.
However,
there
is
no
strong
evidence
that
APT10
originally
developed
this
routine,
or
that
they
possibly
just
reused
a
code
from
a
publicly
available
library.
3.
APT29
APT29
(also
known
as
IRON
RITUAL,
IRON
HEMLOCK,
NobleBaron,
Dark
Halo,
StellarParticle,
NOBELIUM,
UNC2452,
YTTRIUM,
The
Dukes,
Cozy
Bear,
and
CozyDuke)
is
a
threat
actor
known
to
target
Western
government
organizations.
In
2022,
APT29
used
ISO
and
LNK
files
for
initial
access,
similar
to
the
TTPs
of
Earth
Yako.
It
has
also
been
reported
to
abuse
Dropbox
API
as
a
C&C
server
for
malware.
However,
we
confirmed
that
the
codes
of
the
malware
from
APT29
is
itself
different
from
those
of
Earth
Yako-related
malware
(TransBox,
PlugBox,
and
ShellBox).
Other
considerations
In
addition
to
the
technical
similarities
identified,
we
also
look
at
the
context
surrounding
the
incidents.
In
attacking
the
academic
and
research
sectors
in
Japan,
and
the
fact
that
they
target
various
industries
based
on
the
international
affairs
is
similar
to
APT10.
We
observed
lures
using
themes
or
discussions
on
economic
security,
energy,
the
Russia-Ukraine
conflict,
or
other
significant
events
surrounding
East
Asia.
The
threat
actor
has
been
conducting
attacks
using
the
LODEINFO
malware
in
recent
years.
In
particular,
the
attacks
by
Earth
Yako
and
the
attacks
using
LODEINFO
are
similar,
and
it
has
been
reported
that
the
organizations
Earth
Yako
targeted
were
also
the
institutions
involved
in
compromises
using
LODEINFO
malware.
However,
as
with
the
limitations
identified
in
the
“Technical
Perspectives”
section,
we
believe
this
is
insufficient
to
connect
Earth
Yako
with
APT10.
Conclusion
Since
2022,
Earth
Yako
has
been
actively
attacking
with
new
arsenal
and
TTPs.
Although
the
targets
of
the
compromise
vary
from
time
to
time,
it
is
believed
that
it
commonly
targets
the
academic
and
research
sectors
in
Japan,
both
individuals
belonging
to
these
organizations
and
institutions
as
a
whole.
In
November
2022,
the
National
Police
Agency
and
the
National
Center
of
Incident
Readiness
and
Strategy
for
Cybersecurity
(NISC)
issued
a
warning
about
these
attacks.
One
of
the
characteristics
of
the
recent
targeted
attacks
is
that
they
shifted
to
targeting
the
individuals
considered
to
have
relatively
weak
security
measures
compared
to
companies
and
other
organizations.
This
shift
to
targeting
individuals
over
enterprises
is
highlighted
by
the
targeting
and
abuse
of
Dropbox
as
it
is
considered
a
popular
service
in
the
region
among
users
for
personal
use,
but
not
for
organizations.
It
should
also
be
noted
that
Earth
Yako
has
been
actively
changing
their
targets
and
methods
based
on
the
significant
topics
concerning
the
targeted
countries.
For
the
targeted
attacks,
in
addition
to
the
groups
continuously
targeting
the
specific
regions
and
industries,
we
identified
several
groups
changing
their
targets
and
methods
based
on
the
current
circumstances,
including
Earth
Yako.
To
mitigate
the
risks
and
impact
of
compromise
from
targeted
compromise,
it
is
necessary
to
not
only
focus
on
specific
methods,
malware,
and
threat
actors,
but
also
to
collect
a
wider
range
of
information,
implement
continuous
monitoring
and
countermeasures,
and
inspect
attack
surfaces
in
organizations.
We
believe
that
attacks
by
Earth
Yako
are
still
ongoing,
and
therefore
we
believe
that
continued
vigilance
is
necessary.
Indicators
of
Compromise
(IOCs)
About Author
