Operation Clairvoyance: How APT Groups Spy on the Media Industry
2023-05-12 • Team T5 •
Attachments
TeamT5’s Operation Clairvoyance presentation is primarily a broad study of APT espionage against media organizations, with detailed case material on Taiwan-focused and China-nexus activity. The DPRK-relevant evidence in the provided excerpt is limited to an overview noting media-targeting activity against South Korea, Japan, and the United States using phishing, BabyShark, and AFMail, plus a reference to Mandiant reporting on North Korea’s UNC2970/LIGHTSHOW activity. The source excerpt supports treating this as contextual DPRK-relevant media-sector tradecraft rather than a report wholly about North Korean operations. Its more detailed visible sections describe non-DPRK tooling such as BlackTech/PLEAD, KeyPlug, Bifrost/Waterbear, Dropbox abuse, reverse shells, and a Taiwanese media web-server compromise.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://newtalk.tw/news/view/20… | 2023-05-12 | 2023-05-12 |
| URL | https://news.ltn.com.tw/news/po… | 2023-05-12 | 2023-05-12 |
| URL | https://www.ftvnews.com.tw/news… | 2023-05-12 | 2023-05-12 |
| URL | https://www.ettoday.net/news/20… | 2023-05-12 | 2023-05-12 |
| DOMAIN | tw-facebook.com | 2023-05-12 | 2023-05-12 |
| DOMAIN | udngroups.com | 2023-05-12 | 2023-05-12 |
| DOMAIN | udnnews.net | 2023-05-12 | 2023-05-12 |
| DOMAIN | symantecenterprise-blogs.securi… | 2023-05-12 | 2023-05-12 |
| DOMAIN | twfhc.net | 2023-05-12 | 2023-05-12 |
| DOMAIN | rutentw.com | 2023-05-12 | 2023-05-12 |
| DOMAIN | caaupgrade.com | 2023-05-12 | 2023-05-12 |
| DOMAIN | linestw.com | 2023-05-12 | 2023-05-12 |
| DOMAIN | ppchrome.com | 2023-05-12 | 2023-05-12 |
| DOMAIN | udntw.net | 2023-05-12 | 2023-05-12 |
| DOMAIN | newtalk.tw | 2023-05-12 | 2023-05-12 |
| DOMAIN | news.ltn.com.tw | 2023-05-12 | 2023-05-12 |