Full Report
Trend Micro researchers exposed a sophisticated cyber espionage campaign orchestrated by a threat actor dubbed Earth Ammit, which... The post Earth Ammit espionage campaign targets government, critical infrastructure with novel tools appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Earth Ammit
## Attribution & Identity
- **Identification:** Sophisticated cyber espionage threat actor analyzed by Trend Micro researchers.
- **Aliases/Known Associations:** N/A (The article focuses solely on Earth Ammit).
## Activity Summary
Earth Ammit has been operating since late 2023, executing two distinct waves of cyber espionage campaigns leveraging custom tools and stealthy infection chains that utilize public cloud infrastructure.
1. **VENOM Campaign (2023-2024):** Primarily targeted software service providers and upstream vendors across heavy industry, media, technology, and healthcare sectors. Focused on infiltrating the upstream segment of the drone supply chain. Relied heavily on open-source tools.
2. **TIDRONE Campaign (2024):** Shifted focus toward the military industry, indicating tactical evolution. Used custom-built tools for cyberespionage.
The actor's long-term goal is to compromise trusted networks via supply chain attacks to gain long-term strategic advantage and target high-value entities downstream.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Employed two types of supply chain attacks:
1. **Classic Supply Chain Attack:** Injecting malicious code into legitimate software or replacing software update packages.
2. **General Supply Chain Attack:** Compromising upstream vendors to leverage trusted communication channels (like remote monitoring/IT management tools) to distribute malware without altering software artifacts.
- **Initial Access/Execution:** Used methods to spread malware across connected environments via upstream vendors.
- **Payload Delivery:** Researchers observed the same loader could deliver two different custom payloads: backdoor CXCLNT and CLNTEND.
- **Evasion:** Monitored for the use of fiber-based evasion techniques, suggesting attempts to bypass security controls via fiber-related APIs.
- **Data Exfiltration:** Theft of credentials and screenshots observed from victims.
- **Tools Used:**
- Open-source tools (during VENOM campaign).
- Custom-built tools: **CXCLNT** (backdoor), **CLNTEND** (backdoor).
- Customized **FRPC** (called VENFRPC) with configuration embedded directly into the file.
- **MITRE ATT&CK IDs:** N/A
## Targeting
- **Sectors:** Government entities, critical infrastructure, heavy industry, media, technology, healthcare, military industry, satellite vendors, drone supply chain components, software service providers, and payment service providers.
- **Geography:** Southeast Asia, Central Asia, and Eastern Europe.
- **Victims:** Primary victims originated from **Taiwan** and **South Korea**, especially organizations tied to the military and drone industry.
## Tools & Infrastructure
- **Malware Families Used:** Backdoors CXCLNT and CLNTEND. Customized FRPC (VENFRPC).
- **Infrastructure:** Utilizes public cloud infrastructure for stealthy operations.
## Implications
Earth Ammit poses a high-level threat due to its sophisticated, multi-stage supply chain focus, specifically targeting critical infrastructure and sensitive industries like defense/drone manufacturing. Their ability to utilize both traditional software injection and general network compromise via trusted partners allows for wide and deep penetration into high-value ecosystems, leading to significant strategic intelligence collection.
## Mitigations
- Implement a comprehensive third-party risk management approach.
- Evaluate vendor security practices and verify software integrity using Software Bills of Materials (SBOMs).
- Enforce code signing protocols.
- Continuously monitor the behavior of third-party software.
- Implement timely patch management.
- Utilize network segmentation for vendor systems.
- Incorporate third-party breach scenarios into incident response planning.
- Adopt a Zero Trust Architecture (ZTA) to authenticate every connection.
- Closely monitor the use of fiber-related APIs for anomalous activity.
- Strengthen Endpoint Detection and Response (EDR) capabilities to recognize fiber-based execution patterns and enhance behavioral monitoring.