{"id":427,"date":"2019-06-25T15:15:40","date_gmt":"2019-06-25T13:15:40","guid":{"rendered":"https:\/\/lab52.es\/blog\/?p=427"},"modified":"2019-09-18T17:35:23","modified_gmt":"2019-09-18T15:35:23","slug":"g20-event-in-osaka-targeted-by-threat-actors","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/g20-event-in-osaka-targeted-by-threat-actors\/","title":{"rendered":"G20 event in Osaka targeted by threat actors:"},"content":{"rendered":"\n<p>The 28<sup>th<\/sup> and 29<sup>th<\/sup> of June is going to celebrate the G20 event in Osaka, Japan. In this event, the most relevant powerful decision makers will discuss the significant topics and strategies that will influence global order. The Nation-States with cyber offensive capabilities would be highly interested in cyberattacking the IT systems of politicians, organizations or governments involved directly or indirectly.&nbsp; The following map shows the countries that will attend the G20 in Osaka ([1]):<\/p>\n\n\n\n<ul class=\"wp-block-gallery columns-1 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\"><li class=\"blocks-gallery-item\"><figure><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"527\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/06\/ima1-1024x527.png\" alt=\"\" data-id=\"428\" data-link=\"https:\/\/lab52.es\/blog\/?attachment_id=428\" class=\"wp-image-428\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/06\/ima1-1024x527.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/06\/ima1-300x154.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/06\/ima1-768x395.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/06\/ima1.png 1050w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/li><\/ul>\n\n\n\n<p style=\"font-size:14px;text-align:center\"><em>Illustration 1 Members &amp; Guests of the G20, 2019<\/em><\/p>\n\n\n\n<p>International organizations invited to the G20:<\/p>\n\n\n\n<p>ASEAN President (Thailand), AU President (Egypt), Chile (APEC\nPresident), Senegal (NEPAD President), United Nations (UN), International\nMonetary Fund (IMF), World Bank, World Trade Organization (WTO), International\nLabour Organization (ILO), Financial Stability Board (FSB), Organization for\nEconomic Cooperation and Development (OECD), Asian Development Bank (ADB) and World\nHealth Organization (WHO).<\/p>\n\n\n\n<p>The G20 is highly targeted by APT because the agreements reached among\nthe Nation-States could be applied in a faster way and geopolitically it could\nhave more impact than the United Nations or other organizations or multinational\ninstitutions ([4]). The following frame shows several\ncyberattacks carried out by advanced threat groups against the G20 ([4]) ([5]):<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td>\n  <strong>Date<\/strong>\n  <\/td><td>\n  <strong>Incident<\/strong>\n  <\/td><\/tr><tr><td>\n  Jan 2011\n  <\/td><td>\n  Spear phishing emails (G20 Themed\n  Subjects\n  <\/td><\/tr><tr><td>\n  Jan 2011\n  <\/td><td>\n  Spear phishing emails (2<sup>nd<\/sup>\n  time) G20 themed subjects\n  <\/td><\/tr><tr><td>\n  Aug 2013\n  <\/td><td>\n  Spear Phishing emails to targeted list\n  of 200+G20 attendees. \n  <\/td><\/tr><tr><td>\n  Mar 2014\n  <\/td><td>\n  Spear Phishing emails G20 themed\n  subjects from an APT\n  <\/td><\/tr><tr><td>\n  Nov 2014\n  <\/td><td>\n  Spear phishing email sent to seven G20\n  users\n  <\/td><\/tr><tr><td>\n  Aug 2017\n  <\/td><td>\n  KopiLuwak backdoor for use in G20-themed\n  attack\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>During the event G20 2019, there will be several working groups composed of different professionals from Ministries of each attending country with the aim of reaching agreements. All of those members would be exposed as a target to the APT groups interested in a G20 cyberattack. The working groups will be distributed in the following way ([3]):<\/p>\n\n\n\n<table class=\"wp-block-table aligncenter\"><tbody><tr><td>\n  <strong>Promoting strong, sustainable and balanced growth<\/strong>\n  <\/td><td>\n  <strong>Greater provision of international public goods and resilience<\/strong>\n  &nbsp;\n  <\/td><td>\n  <strong>Digitalization of the economy<\/strong>\n  <\/td><td>\n  <strong>Population aging<\/strong>\n  <\/td><\/tr><tr><td>\n  Society 5.0Trade and investmentQuality infrastructure development\n  \n  \n  &nbsp;\n  <\/td><td>\n  Universal health coverageNatural disaster reduction and ocean\n  waste managementResponsible lending and avoidance of the\n  \u201cdebt trap\u201dGlobal imbalanceFinancial regulationGender equalityClimate change and energy\n  \n  \n  \n  \n  \n  \n  <\/td><td>\n  Digitalization and jobsInternational taxation in the digital\n  economyCrypto-assetsRule-making for the digital age\n  \n  \n  \n  <\/td><td>\n  Fiscal managementLabor supply, investment and financial\n  marketsProductivity improvement to raise\n  potential growth\n  \n  \n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>These topics or the derivatives included therein, could be used by threat\nactors in their Phishing emails: file names, real infected documents, subject\nof emails, addresses, etc. As an example, in the last <strong>Turla<\/strong> cyberattack <strong>against\nthe G20<\/strong> the file name was \u201csave the date\u201d.&nbsp;\n\u201cThe dropper was delivered with a benign and possibly stolen decoy\ndocument inviting recipients to a G20 task force meeting on the Digital\nEconomy. The Digital Economy event is actually scheduled for October of this\nyear in Hamburg, Germany\u201d ([6]). Turla targets the G20 participants and\nthose with interest in the G20, including member <strong>nations<\/strong>, <strong>journalists<\/strong>,\nand <strong>policymakers<\/strong>. <\/p>\n\n\n\n<p>Chinese APT has been involved in this kind of cyberespionage operations as we could see in the FireEye report in 2013 ([7]). Moviestar Campaign was supported by Ke3chang. During several weeks prior the G20 event, the threat actor leveraged emails with updates on the escalating Syrian crisis in order for the victims to download the malware. This topic was definitely the most trending topic in the G20 appointment of 2013. It was a well thought-out campaign&nbsp;<a href=\"http:\/\/threatpost.com\/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found\/100865\">targeting high-profile and influential government officials<\/a> ([8]). The file name of the infected document was \u201cUS_military_options_in_Syria.zip.\u201d<\/p>\n\n\n\n<p>To avoid cyberattacks during the G20 it is very recommendable to be wary\nof G20 themed emails that attached have downloadable files or URL websites to\ncheck more information. Another relevant sign related to these malicious\ndocuments is when a document is downloaded and it is completely empty or it is\na clignoter when it is already downloaded. <\/p>\n\n\n\n<p>USBs are a very common way to infect IT systems, so it is important not to\nplug any USB and avoid using any public WiFi network as hackers could steal\nclassified information from the guest IT system ([9]).<\/p>\n\n\n\n<p><strong>Conclusions<\/strong><\/p>\n\n\n\n<p>The G20 is one of the most relevant\ninternational political events as the policies extracted from this coalition\ncould be executed in a faster timing than other organizations. APT targets this\nevent to collect classified information from top governmental officers. <\/p>\n\n\n\n<p>The APT presumably related to China and Russia,\nas Turla or Ke3chang, have notorious antecedents of targeting the members and\norganizations that are involved in the G20. The 20 countries would be a target\nfor this APT, some of them would be especially important. <\/p>\n\n\n\n<p>As can be seen on several reports from other\nincidents in the G20, threat actors usually use to infect their victims, file\nnames or real documents related to the topics which are involved in the working\ngroups of the G20.<\/p>\n\n\n\n<p><strong>References: <\/strong><\/p>\n\n\n\n<p>[1] Wikimedia.\nMap about G20. <a href=\"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/e\/e7\/G20.svg\">https:\/\/upload.wikimedia.org\/wikipedia\/commons\/e\/e7\/G20.svg<\/a>\n&nbsp;&nbsp;<\/p>\n\n\n\n<p>[2] G20 What\nis the G20 Summit? | Summit Details | G20 Osaka Summit 2019. <a href=\"https:\/\/g20.org\/en\/summit\/about\/\">https:\/\/g20.org\/en\/summit\/about\/<\/a><\/p>\n\n\n\n<p>[3] CRIES. (2019). Japan\u2019s G20 Presidency for 2019: Potential\nAgendas and Issue. <\/p>\n\n\n\n<p>[4] Kaffenberger, L.Cyber Threats to the G20.https:\/\/www.sans.org\/cyber-security-summit\/archives\/file\/summit-archive-1517252245.pdf\nVideo: <a href=\"https:\/\/www.youtube.com\/watch?v=B5IifOkA4-w\">https:\/\/www.youtube.com\/watch?v=B5IifOkA4-w<\/a><\/p>\n\n\n\n<p>[5] Infosecinstitute. Russian APT Groups Continue Their\nStealthy Operations. https:\/\/resources.infosecinstitute.com\/russian-apt-groups-continue-stealthy-operations\/\n<\/p>\n\n\n\n<p>[6] Dawson, C. Turla APT actor refreshes KopiLuwak JavaScript\nbackdoor for use in. https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack<\/p>\n\n\n\n<p>[7] Boland, B. The G20 and the New Reality of Cyber Espionage.\nhttps:\/\/www.fireeye.com\/blog\/executive-perspective\/2014\/11\/the-g20-and-the-new-reality-of-cyber-espionage.html<\/p>\n\n\n\n<p>[8] Mimoso,\nM. China Espionage Malware Targeted Diplomats, Foreign Ministers During G20\nSummit. https:\/\/threatpost.com\/china-espionage-malware-targeted-diplomats-foreign-ministers-during-g20-summit\/103178\/<\/p>\n\n\n\n<p>[9] SBS News. (s.f.). Spy agency warns of G20 cyber-attack\nrisk. https:\/\/www.sbs.com.au\/news\/spy-agency-warns-of-g20-cyber-attack-risk<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The 28th and 29th of June is going to celebrate the G20 event in Osaka, Japan. In this event, the most relevant powerful decision makers will discuss the significant topics and strategies that will influence global order. The Nation-States with cyber offensive capabilities would be highly interested in cyberattacking the IT systems of politicians, organizations [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":430,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[3,1],"tags":[4,6],"class_list":{"0":"post-427","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apts","8":"category-uncategorised","9":"tag-apt","10":"tag-cyberthreat","11":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/06\/ima2-600x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/06\/ima2-600x584.png","author_info":{"display_name":"Dex","author_link":"https:\/\/lab52.io\/blog\/author\/dex\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/427"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=427"}],"version-history":[{"count":2,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/427\/revisions"}],"predecessor-version":[{"id":431,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/427\/revisions\/431"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/430"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}