This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.
For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.ai Previous Threat Intelligence Updates can be found HERE.
A glossary for terms used in our reporting is available HERE.
Contents
Iranian Threat Actor Targets US and Israeli CNI Through IoT Vulnerabilities
Turkish Defence Sector Targeted with Spearphishing Campaign
Executive Summary
Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems
The U.S. Treasury Department disclosed a December 2024 cybersecurity incident, linked to a Chinese state-sponsored APT, Volt Typhoon. Attackers exploited a stolen API key from BeyondTrust's Remote Support service, bypassing security to access Treasury workstations and unclassified documents.
This breach underscores third-party software risks and cloud vulnerabilities, despite OS reporting attributing this attack to Volt Typhoon, this remains unlikely due to atypical TTPs. Follow-up attacks remain a realistic possibility within 3-6 months.
Iranian Threat Actor Targets US and Israeli CNI Through IoT Vulnerabilities
Turkish Defence Sector Targeted with Spearphishing Campaign
Customer Data from 800 000 Electric Cars and Owners Exposed Online
Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems
The U.S. Treasury Department has disclosed a cybersecurity incident. The breach, which occurred in December 2024, involved the exploitation of a vulnerability in BeyondTrust, a third-party software provider. This incident allowed the attackers to remotely access certain workstations and unclassified documents belonging to the Treasury Department's Departmental Offices (DO).
Elemendar CTI Analyst comment: The Treasury Department attributes the attack to a Chinese state-sponsored APT group. While the exact identity of the group remains undisclosed, Chinese cyber-espionage groups are known for targeting high-value government and corporate systems to steal sensitive information for geopolitical and economic gains. Open source reporting has attributed the attack to Volt Typhoon, a Chinese state-sponsored threat actor, which has been prolific in compromising IT environments across multiple critical infrastructure sectors, including Communications, Energy, Transportation, and Water Systems, in the United States and its territories, including Guam. Unlike traditional cyber espionage, Volt Typhoon appears to pre-position itself for lateral movement to operational technology (OT) assets, with a view to enable disruptive actions during geopolitical tensions or military conflictsCTI research indicated that DroidBot has been available for purchase since June 2024 and selling at a $3000 USD monthly subscription. Files within DroidBot are written in Turkish and files are timestamped at Ankara’s timezone. Translated files also indicate plans that the developers intend an expansion into Latin America (LATAM). LATAM is regularly used as a testing ground for proof of concept and TTPs due to its cyber security measures in multiple industries, including banking and finances, being below those seen in North America and Europe. Comment Ends
On December 8, 2024, BeyondTrust informed the Treasury Department that a threat actor had gained access to an API key used to secure its cloud-based Remote Support service. This key enabled the attackers to bypass security controls, reset passwords for local application accounts, and remotely access certain Treasury DO workstations. The stolen API key was a critical entry point that allowed the threat actors to compromise the system and retrieve unclassified documents.
BeyondTrust, a provider of privileged access management solutions, has not yet disclosed how the API key was compromised, though it immediately revoked the key and suspended affected instances.
The Treasury Department quickly took the BeyondTrust service offline after being notified of the incident. It has been working closely with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to investigate the breach. Officials have stated that there is no evidence that the attackers currently have gained persistence within the Treasury's environment.
BeyondTrust acknowledged that its Remote Support SaaS instances were breached as part of this incident. The attackers used the stolen API key to reset passwords and compromise accounts within the system. BeyondTrust also identified two security vulnerabilities in its products:
CVE-2024-12356 (CVSS 9.8): A critical flaw in the Privileged Remote Access (PRA) product that allows attackers to exploit systems remotely. This vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
CVE-2024-12686 (CVSS 6.6): A moderate flaw in the Remote Support (RS) product.
Elemendar Intelligence Assessment: Despite the limited scope of access (unclassified documents), this breach demonstrates the risks associated in using third-party software providers and the exploitation of privileged access systems. The incident also highlights vulnerabilities in cloud-based services that can be leveraged by state-sponsored threat actors to gain footholds in high-value targets.
Attribution to Volt Typhoon is unlikely to be correct. Typically Volt Typhoon will use Living Off The Land Techniques (LOLT) to normalise suspicious behaviour before developing persistence within CNI networks. In this instance, entry was gained through the exploitation of a third party API key, and at the time of writing, no persistence has been reported within the Treasury network.
It is unknown as to what long term effects this incident will have, given the reports of access to low level unclassified documents, it is unlikely to be severe. However, there is a realistic possibility that follow up attacks could occur within the next 3-6 months. Assessment Ends.
Iranian Threat Actor Targets US and Israeli CNI Through IoT Vulnerabilities
A new malware strain named IOCONTROL has been identified in a number of attacks in 2024 against US and Israeli CNI. Notable attacks include compromising multiple fuel management systems made by both nations. Whilst no group has publicly claimed the attacks, CTI research on Telegram indicates CyberAv3ngers have been linked to the new malware.
Elemendar CTI Analyst Comment: CyberAv3ngers are reported to be a hacktivist group based out of Iran. Their attacks focus on commercial organisations based out of, or linked to, the US and Israel. CyberAv3ngers have conducted a number of attacks on CNI utilising vulnerabilities in IoT environments, most notably the targeting of Unitronics and their industrial control mechanisms. It is currently unknown if they have a direct link to the Iranian government, however they support Iran’s foreign policy aims indirectly through the targeting of Israeli and US interests. Comment Ends
IOCONTROL uses a modular configuration and has successfully targeted routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), cameras, firewalls and fuel management systems. The malware is stored in the “/usr/bin/” directory under “iocontrol”. IOCONTROL has a persistence script under “S93InitSystemd.sh” to execute the malware process upon system boot. IOCONTROL utilises a number of obfuscation tactics in its communications. IOCONTROL makes use of Message Queuing Telemetry Transport (MQTT) for its C2 communications. In addition, it uses DNS over HTTPS to encrypt its DNS queries and hide from network traffic monitoring.
Elemendar CTI Analyst Comment Modular configuration is common amongst malware that targets IoT environments and is intended to be used in multiple attacks against a variety of targets. “InitSystemd.sh” is a shell script largely used in Linux-based IoT devices. The systemmd is a linux based area used to initialise and manage services. The prefix S93 and init command indicates it is to run at system start and is the 93rd task to be executed. Therefore the full “S93InitSystemd.sh” gives persistence by tying its operations to system boot. This is likely to mitigate risk of its processes being interrupted by a reboot (common in IoT devices) and is likely to aid in avoiding discovery by enabling the malware to establish control of a system without interrupting services post-initialisation.
MQTT is a commonly used language for IoT environments. Its low bandwidth nature enables efficient communications in resource restricted environments often seen in IoT. Threat actors also utilise the low-bandwidth to establish consistent communications with the C2 server whilst blending in with legitimate traffic. DNS over HTTPS is often used in malware to mask the address of C2 nodes to overcome DNS filtering of known C2 addresses.
93% of CNI providers in the US have seen an increase in cyber attacks over the last 12 months, with US law enforcement noting that IoT vulnerabilities are being repeatedly targeted to conduct these attacks. IoT use has rapidly increased over the past 10 years as automation has become common in multiple industries. However, IoT devices and systems in CNI have been the subject of a number of warnings from many intelligence agencies across the globe as their security features are often far below industry standards. Comment Ends
Elemendar Intelligence Assessment: IOCONTROL is highly likely being used by CyberAv3ngers to target US and Israeli CNI. It is highly likely that IOCONTROL’s modular design indicates it is intended to target a variety of IoT devices thereby increasing its potential to be used against a variety of sectors. CyberAv3ngers consistent targeting of IoT devices used in the oil and gas industry indicates that they are likely to continue to target this sector going forward.
IOCONTROL’s design indicates its developers intend for it to be a persistent threat and difficult to detect. Its use of MQTT for comms matches the IoT comms environment it operates within. This factor, combined with obfuscation efforts in its C2 channels, is likely to make detection difficult and therefore open multiple sectors to the potential of significant financial loss. Assessment ends.
Turkish Defence Sector Targeted with Spearphishing Campaign
An unnamed defence organisation in Turkey has been the target of a spearphishing campaign designed to be the initial access vector to deliver Remote Access Trojans (RAT). The attacker, identified as TA397, used a compromised email account belonging to a Turkish government organisation to send an email containing a RAR file. The RAR file contained a shortcut (LNK) file masquerading as a decoy PDF with a title relating to infrastructure developments in Madagascar. In addition, an Alternative Data Stream (ADS) file was also attached which contained a PowerShell Code.
Once opened, only the masquerading PDF is visible within the RAR, however the malicious code within creates a scheduled task on the infected system. 12 hours after infection, the scheduled task initiates and contacts the C2 node to download further malicious payloads in the form of WmRAT and MiyaRAT.
Elemendar CTI Analyst comment: TA397 (aka Bitter), is an APT operating across Asia. Believed to be linked to China, TA397’s attacks have distinct focuses depending on their target. TA397 have targeted government departments and civilian companies in China suspected to be part of domestic surveillance efforts. Abroad, TA397 have focused on espionage of CNI, aerospace and defence sectors across the continent. TA397 regularly use spearphishing as their initial access vector. In addition, both WmRAT and MiyaRAT are common malware types used by the APT. Comment Ends.
Once WmRAT and MiyaRAT are installed they begin to collect system information, including dynamic time zone information, username, hostname and the list of logical drives for the host. This process is repeated 1,000 times but this information is not relayed back to the C2 node at the point of infection.
After system discovery, the malware communicates with its C2 node through an encrypted channel on standard ports. Both its staging domain and C2 domains were masquerading as legitimate websites. The C2 domains utilised a Lets Encrypt certificate that used the website GoDaddy as a provider.
Both WmRAT and MiyaRAT provide the capability to TA397 to collect system information, take screenshots and exfiltrate files. They both utilise a sleep function that is called for at various times throughout the day.
Elemendar CTI Analyst comment: The above listed behaviours indicate that this attack against the Turkish defence sector was intended to establish a persistent and covert presence within the system. The generation of large numbers of basic data logs is a TTP of malware to disguise its presence by filling up behaviour logs, making it difficult for analysts to identify malicious activity against a backdrop of routine data. The use of regular sleep functions is another common TTP used to slow the malware’s processes down making it less likely to trigger automated detection systems looking for abnormal programs. Lets Encrypt through GoDaddy is a free SSL certificate used to secure a domain and enable HTTPS. These certificates are usually trusted by browsers and security tools and have been used by Bots and RATs including QBot, TrickBot and VenomRAT previously as a means to make it harder for network security to identify communications with malicious domains. Comment Ends.
Elemendar Intelligence Assessment: It is highly likely that TA397’s intent was to establish a covert and persistent presence within this organisation for espionage purposes. The use of obfuscation tactics for its C2 communications, generation of large amounts of routine data and its regular sleep functions indicate that stealth is almost certain a priority of the attack. The lack of data being sent back to the C2 node upon infection is likely a means to restrict outbound traffic and decrease the likelihood of discovery. This is also likely a deliberate choice to enable the attackers to review over time which infected devices are of interest to them versus no interest.
It is likely that TA397 works in support of, or are directly backed, by the Chinese government. Espionage on defence sectors by Chinese groups is likely to serve dual purposes with the theft of IP advancing China’s modernisation efforts and enabling them to monitor a NATO member state’s defence sector with a strategic position between Europe and Asia. TA397 are highly likely to continue to target defence sectors across Asia to aid China’s intelligence collection efforts however there is a realistic possibility that they will also begin to target organisations in Europe.
It is likely that a successful attack of this nature will be hard to detect once on the system. The reliance on spearphishing as the initial access vector makes human error as the likely means of compromise. A successful attack will highly likely lead to the loss of sensitive information and IP that is likely to bolster China’s military modernisation. In addition, defence technologies are likely to be less effective if vulnerabilities are found through the espionage campaign leading to significant damage to national defence efforts of the subject country. Assessment Ends.
Customer Data from 800 000 Electric Cars and Owners Exposed Online
Volkswagen software subsidiary Cariad, exposed sensitive data from 800 000 electric vehicles due to misconfigured IT applications in its Amazon cloud storage. The breach was discovered by the Chaos Computer Club (CCC), which found the vulnerability through a whistleblower.
Elemendar CTI Analyst Comment: The exposed data, linked to VW, Seat, Audi, and Skoda vehicles, included precise geo-location details, pseudonymised personal information, and access keys to sensitive systems. It is unknown as to how long the data was vulnerable for.
The CCC is Europe’s largest hacker association with 7700 members and was founded in 1981 in Germany, operating local chapters across German-speaking regions, including Switzerland. Comment Ends. The majority of affected vehicles, totalling 300 000, were located in Germany. Researchers also identified details about cars in other countries, including Norway (80 000), Sweden (68 000), the United Kingdom (63 000), the Netherlands (61 000), France (53 000), Belgium (68 000), and Denmark (35 000).
CCC reported the issue to Cariad on 26 November 2024, and provided technical details. According to the CCC, access to the exposed data required bypassing multiple security mechanisms, including combining separate datasets to correlate vehicle data with individual drivers.
Elemendar CTI Analyst Comment: The data included geo-location details with accuracy as precise as 10 centimetres for VW and Seat models. Sensitive data from vehicles belonging to police fleets, employees from the German Federal Intelligence Service (BND), German politicians and personnel from United States Air Force military Airbase in Ramstein was also accessible. CCC ethical hackers demonstrated the breach's implications by pinpointing movements of high-profile individuals by using readily accessible software. Further investigation revealed that attackers exploited memory dumps containing cloud access keys, enabling them to retrieve sensitive vehicle data stored on Amazon servers. Comment Ends.
Cariad acted quickly upon notification, resolving the issue and securing the cloud storage the same day. The company claims no evidence suggests other parties accessed or misused the data beyond CCC’s ethical tests. Elemendar Assessment: This incident highlights the critical need for robust cloud security practices, data segmentation, and key management protocols. Misconfigured cloud systems remain a significant vulnerability, underscoring the importance of proper access controls, regular audits, and the compartmentalised storage of encrypted data to limit the impact of breaches.
The exposure of cloud access keys in memory dumps further emphasises the necessity of stringent key management, including routine key rotation and restricted access. As demonstrated, the reliance on pseudonymisation proved insufficient to prevent correlation of datasets for deanonymising sensitive information.
Whilst no breach was reported or indeed likely, it still highlights the growing cybersecurity risks within the connected vehicle industry, where increasing digital integration exposes vehicles to privacy and operational threats. Geo-location data combined with personal identifiers could be weaponised for surveillance, stalking, or even more severe exploitation, demanding greater attention to securing these ecosystems. Such lapses are highly likely to expose organisations and sensitive personalities such as politicians or intelligence and security to unnecessary risk from espionage, terrorist groups and potential exploitation by threat actors. Assessment Ends.
Annex A: References
Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems https://thehackernews.com/2024/12/chinese-apt-exploits-beyondtrust-api.html
Iranian Threat Actor Targets US and Israeli CNI Through IoT Vulnerabilities
Turkish Defence Sector Targeted with Spearphishing Campaign
https://thehackernews.com/2024/12/bitter-apt-targets-turkish-defense.html Customer Data from 800 000 Electric Cars and Owners Exposed Online https://www.ccc.de/en/updates/2024/wir-wissen-wo-dein-auto-steht
Annex B: STIX Entities
Iranian Threat Actor Targets US and Israeli CNI Through IoT Vulnerabilities
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1211 | Exploitation for Defense Evasion | Defense Evasion | Exploiting vulnerabilities to evade detection by disabling or bypassing security mechanisms. | Attackers exploit weaknesses in security tools to avoid detection and maintain access. | Antivirus logs, IDS/IPS logs, System logs. |
T1082 | System Information Discovery | Discovery | Gathering system information such as OS version, installed software, and hardware configurations. | Attackers gather detailed system information to map the target environment and escalate privileges. | System information logs, Command logs, Event logs. |
T1584 | Compromise Infrastructure | Command and Control | Compromising third-party infrastructure to establish communication channels with the target system. | Attackers use compromised infrastructure to create covert channels for command and control. | DNS logs, Network traffic logs, Proxy logs. |
T1547 | Boot or Logon Autostart Execution | Persistence | Modifying system startup processes to ensure malware is executed when the system boots or logs in. | Malware is configured to persist by adding entries to startup processes, ensuring execution on reboot. | System logs, Event logs, Process creation logs. |
T1137 | Office Application Startup | Execution | Exploiting the automatic startup functionality of office applications to execute malicious code. | Malicious code is embedded in office application files that execute when the application starts. | Application logs, Process creation logs, File execution logs. |
T1573 | Encrypted Channel | Command and Control | Using encrypted communication channels for C2 traffic to evade detection. | Attackers use encryption (e.g., TLS, SSL) to hide C2 communication from security systems. | Network traffic logs, Proxy logs, Encrypted communication logs. |
T1059 | Command and Scripting Interpreter | Execution | Use of command-line interpreters (e.g., Bash, PowerShell, Python) to execute commands and scripts. | Attackers leverage command-line interfaces to run scripts and execute commands for lateral movement or data exfiltration. | Command logs, Script execution logs, Process creation logs. |
T1070 | Indicator Removal | Defense Evasion | Erasing or obfuscating traces of malicious activity from the system to avoid detection. | Malware removes or modifies logs and other indicators to avoid detection by security tools. | Log file access logs, System logs, Event logs. |
T1046 | Network Service Discovery | Discovery | Scanning and identifying network services and resources within the environment. | Attackers scan the network to discover available services, systems, and open ports to exploit. | Network traffic logs, IDS/IPS logs, Service access logs. |
Turkish Defence Sector Targeted with Spearphishing Campaign
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1053.005 | Scheduled Task | Execution | Monitor task creation or execution. | Used for persistence or execution. | Windows Event IDs 4698, 4702, 106. |
T1564.004 | NTFS File Attributes | Defense Evasion | Monitor attribute changes to hide files. | Hides files to evade detection. | File audit logs, Sysmon Event ID 11, PowerShell Event ID 4104. |
T1059.001 | PowerShell | Execution | Monitor suspicious PowerShell use. | Executes malicious scripts. | PowerShell Event IDs 4103, 4104, 4688. |
T1113 | Screen Capture | Collection | Detect screen capture activity. | Captures sensitive screenshots. | Process creation logs, Sysmon Event ID 1. |
T1614 | System Location Discovery | Discovery | Track location-related queries. | Identifies system location. | Network and process logs. |
T1083 | File and Directory Discovery | Discovery | Detect file system enumeration commands. | Searches for sensitive files. | Process command-line logging, PowerShell Event ID 4104. |
T1105 | Ingress Tool Transfer | Command and Control | Monitor suspicious downloads. | Transfers tools or payloads. | Network monitoring, process creation logs. |
T1082 | System Information Discovery | Discovery | Track system info gathering commands. | Collects system details. | Process command-line logs, Security Event ID 4688. |
Probability Language
This document uses probability language based on assessment. Further information can be found in the image below:
Feedback
We welcome your feedback, this ensures we meet your needs.
Please contact our CTI Director at : CTI@elemendar.ai
Acknowledgements
Authored by
Paul Montgomery, CTI Director Elemendar
Matt Orwin, CTI Analyst
Comments