A new advanced persistent threat (APT) group, dubbed Earth Kurma, has emerged, targeting government and telecommunications sectors across Southeast Asia since June 2024. This sophisticated campaign employs custom malware, rootkits, and cloud-based data exfiltration techniques, posing significant risks to sensitive data and national security.

Key Takeaways

• Earth Kurma targets government and telecommunications sectors in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia.

• The group utilizes advanced malware, including rootkits and cloud services, for data theft.

• Their tactics include credential theft, persistent access through kernel-level rootkits, and stealthy data exfiltration methods.

Overview of Earth Kurma

Earth Kurma has been identified as a new APT group focusing on cyber espionage within Southeast Asia. Their operations date back to November 2020, with a clear emphasis on data exfiltration from government and telecommunications entities. The group’s activities have raised alarms due to their sophisticated methods and the potential for significant data breaches.

Attack Techniques and Tools

The Earth Kurma campaign is characterized by the following tactics:

1. Custom Malware: The group employs various malware strains, including:

2. Data Exfiltration: Earth Kurma uses cloud storage services for data theft, specifically targeting documents with extensions such as .pdf, .doc, and .xls. The exfiltration process involves:

3. Lateral Movement: The group employs various tools to navigate through compromised networks, including:

Implications for Southeast Asia

The ongoing activities of Earth Kurma pose a high business risk due to the potential compromise of sensitive government and telecommunications data. The group’s ability to maintain a persistent and stealthy presence within victim networks raises concerns about long-term espionage and data integrity.

Recommendations for Mitigation

Organizations in the affected sectors should consider implementing the following security measures:

• Strict Driver Policies: Enforce policies that only allow digitally signed drivers to prevent rootkit installations.

• Strengthen Active Directory Controls: Secure the sysvol directory and audit replication events to prevent unauthorized data exfiltration.

• Limit SMB Communications: Restrict the use of SMB protocol to minimize lateral movement opportunities for attackers.

As Earth Kurma continues to evolve and adapt its tactics, it is crucial for organizations in Southeast Asia to enhance their cybersecurity measures. By staying informed and proactive, they can better protect themselves against this emerging threat and safeguard sensitive information from potential breaches.

As cy onsultation!

Sources

• Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools, The Hacker News.

• Earth Kurma APT Campaign Targets Southeast Asian Government Telecom Sectors, Trend Micro.