Kaspersky identifies mysterious APT mentioned in 2017 Shadow Brokers leak
Kaspersky has identified one of the advanced persistent threat (APT) groups mentioned in a leaked US National Security Agency (NSA) scanning tool. The python script was made public as part of the ‘Lost in Translation’ leak by the mysterious Shadow Brokers group in 2017. That leak also exposed other NSA hacking tools, including the infamous EternalBlue exploit that threat actors later used to launch the global WannaCry ransomware outbreak.
The scanning tool, called sigs.py, contained signatures to detect 44 APTs, i.e. state-sponsored hacking groups. Many of the mentioned APTs were not known to the infosec industry. Research by Kaspersky indicates that the APT tracked via sigs.py signature #27 was the group behind the DarkUniverse malware framework. The group, also dubbed DarkUniverse, was first detected in 2009 and operated up until the ShadowBrokers leak in 2017. Kaspersky found evidence that the group successfully targeted at least 20 civilian and military organizations in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates. Researchers speculate that “the suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations.”