Who is the Lazarus Group?A North Korean threat actor group has increased its activities in the aftermath of the coronavirus outbreak, particularly when it comes to ‘fileless’ attacks, spreading new malware samples, and attacking cryptocurrency businesses, among others.Targeted countries: India, Japan, Singapore, South Korea, the US, and the UK.Tactics, techniques, and procedures: Phishing attacks, credential harvesting, impersonation, website spoofing, and data exfiltrationMotive: Using phishing emails that look as though they were sent by the local authorities in charge of dispensing government-funded COVID-19 support initiatives, the hackers try to drive recipients to fake websites where they can be tricked into divulging personal and financial information.Evidence: Cyfirma was able to intercept seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance, and others.Known email IDs used by the Lazarus group:email@example.com@firstname.lastname@example.org@email@example.com@korea.krWho is Stone Panda?Stone Panda — also known as APT10, menuPass, and Cloud Hopper — is a Chinese threat actor group that has traditionally shown interest in stealing international trade data and supply chain information for big companies. Targeted countries: Multinational companies in India, South Korea, and Japan.Tactics, techniques, and procedures: Phishing attacks to install malware, leveraging Web and SLL based vulnerabilities, and employing tactics that use tools or features that already exist in the target environment.Motive: The primary motive is data exfiltration. This is when hackers try to steal intellectual properties, copyrights, and trade secrets as part of corporate espionage activities to cause operational disruption and reputational damage.Evidence: “As per the latest information gathering, we have observed certain activities where attackers launched passive scans towards an organization’s assets, which we believe to be in the reconnaissance and enumeration phase of a long-planned hacking activity,” said Cyfirma in its report.Who is APT36?APT36 — also known as Operation Transparent Tribe, Project M, and Mythical Leopard — is a Pakistan government-backed hacker group that has targeted Indian diplomats in the past. Pakistan's conflict with India has been ongoing, and APT36's activities are a continuity of those hostilities.Targeted countries: IndiaTactics, techniques, and procedures: Phishing emails that typically contained bogus health advisories on coronavirus. Victims who click on the attached document activate malware that gives the hacker access to sensitive and important information Motive: The main objective of the group so far has been to collect sensitive data like emails, passwords, and location data. Evidence: In 2020, this threat actor was noticed to have impersonated the Indian government to send malware emails to victims, mostly Indians. Additionally, several other intrusions have been detected, including a spear phishing campaign aimed at computers belonging to the Indian Railways.Who is Mission2025?Mission 2025 is probably the most reclusive out of the entire list of threat actors targeting India. It is suspected to be a Chinese state-sponsored actor, according to Cyfirma.Targeted countries: India, the US, the Uk, Japan, France, South Korea, Hong Kong, and ThailandTactics, techniques, and procedures: Mission2025 has been noted implanting trojans and backdoor access to steal sensitive information from organisations as a part of their cyber-espionage campaigns. Motive: The suspected motive behind these campaigns is to assist local Chinese companies as part of the Made in China 2025 vision. This includes everything from the theft of intellectual property to stealing trade secrets. The end-game could also vary from information exfiltration to corporate espionage or just plain and simple financial gain.