Full Report
Researchers discovered a new campaign by Earth Kasha, a threat group targeting Japan, Taiwan, and India since 2019, with connections to the broader APT10 umbrella. This recent campaign, beginning in 2023, employs updated TTPs, including exploiting vulnerabilities like CVE-2023...
Analysis Summary
# Threat Actor: Earth Kasha
## Attribution & Identity
Identified as **Earth Kasha**. Known connection to the broader **APT10** umbrella. Potential overlaps and shared resources with other China-linked actors such as **Earth Tengshe** and **Volt Typhoon**.
## Activity Summary
Active since at least 2019. The most recent campaign described began in **2023** and involves updated Tactics, Techniques, and Procedures (TTPs), including the exploitation of specific vulnerabilities for initial access. The primary observed impact is **data exfiltration**.
## Tactics, Techniques & Procedures
- Initial Access via **Vulnerability exploitation** (specifically citing exploitation of **CVE-2023-27997** affecting FortiOS/FortiProxy).
- **DLL Side-Loading**
- **Phishing**
- **Credential theft**
## Targeting
- Sectors: Not explicitly detailed, but the focus on high-value data exfiltration suggests government, technology, or critical infrastructure.
- Geography: **Japan**, **Taiwan**, and **India**.
- Victims: Specific organizations are not named in the summary context.
## Tools & Infrastructure
- Malware families used: **LODEINFO**, **NOOPDOOR**, **MirrorStealer**.
- Command and Control/Post-Exploitation: **Cobalt Strike**.
- Targeted technologies: **FortiOS**, **Proself** (likely referring to a specific vulnerable application or platform).
## Implications
The group is demonstrating maturity by adopting updated TTPs, including rapid exploitation of known vulnerabilities (one-day exploits). The operational overlap with groups like Earth Tengshe and Volt Typhoon suggests possible shared development resources, sophisticated supply chain access, or coordinated espionage objectives typically associated with state-sponsored actors.
## Mitigations
- Apply patches immediately for exploited vulnerabilities such as **CVE-2023-27997** affecting FortiOS/FortiProxy.
- Monitor for indicators related to the malware families **LODEINFO**, **NOOPDOOR**, and **MirrorStealer**.
- Implement robust detection rules for post-exploitation techniques like **DLL Side-Loading** and **Cobalt Strike** usage.