In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our research points the attribution to the known campaign “Operation RestyLink” or “Enelink”.
Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and procedures (TTPs), and infrastructure used by Earth Yako for cyberespionage. The intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets. Since we observed related attacks as recent as January 2023, we believe that Earth Yako is still active and will keep targeting more organizations soon. This investigation was presented at the JSAC 2023 in Tokyo, Japan.