With a tip that came from one of the biggest breaches in US National Security Agency history, researchers have discovered a new hacking group that infected targets with a previously unknown piece of advanced malware.
Hints of the APT—short for advanced persistent threat—group first emerged in April 2017. That’s when an still-unidentified group calling itself the Shadow Brokers published exploits and code developed by, and later stolen from, the NSA. Titled “Lost in Translation,” the dispatch was best known for publishing the Eternal Blue exploit that would later power the WannaCry and NotPetya worms that caused tens of billions of dollars worth of damage worldwide. But the dump included something else: a script that checked compromised computers for malware from a variety of APTs.
Researchers from Kaspersky Lab said one of the APTs described in the script started operations no later than 2009 and then vanished in 2017, the same year the Shadow Brokers post was published. Dubbed DarkUniverse, the group is probably tied to ItaDuke, a group that has actively targeted Uyghur and Tibetans since 2013. The link assessment is based on unique code overlaps in both group’s malware.