NEODYMIUM (G0055): A Cyber Espionage Threat Targeting Turkey
- Suspected Origin
- Iran (suspected)
- Motivation
- Espionage, Intelligence Gathering
- Aliases
- None documented
- Target Sectors
- Unspecified (primarily individuals), Turkish organizations
- Associated Malware
- Wingbird, FinFisher (similar characteristics)
Overview
NEODYMIUM, tracked by MITRE ATT&CK as G0055, is a cyber activity group that emerged with documented operations as early as May 2016. This group is primarily focused on cyber espionage, with a distinct emphasis on intelligence gathering and long-term infiltration rather than direct financial gain. NEODYMIUM has notably targeted Turkish victims, demonstrating a consistent focus on the region.
While definitive state attribution remains challenging, NEODYMIUM is believed with moderate confidence to be associated with the government of Iran. The group has also shown similarities to another activity group, PROMETHIUM (G0056), due to overlapping victim and campaign characteristics, including the use of the same zero-day exploit in closely timed attacks. There are also reported associations with BlackOasis operations, although evidence that these are aliases has not been confirmed.
NEODYMIUM’s operational methods suggest a well-resourced and persistent adversary, capable of developing and deploying custom malware and exploiting zero-day vulnerabilities. Their targets appear to be specific individuals, aiming to obtain intellectual property and other valuable data from organizations by compromising individuals with access to such information.
Tactics & Techniques
NEODYMIUM employs sophisticated tactics and techniques to achieve its espionage objectives. A common initial access vector involves highly tailored spear-phishing emails containing malicious attachments. These attachments are designed to deliver exploit code, leading to the installation of their primary malware, Wingbird.
A notable campaign in May 2016 saw NEODYMIUM, alongside PROMETHIUM, exploiting a zero-day vulnerability in Adobe Flash Player (CVE-2016-4117). This exploit executed code to download a malicious payload, bypassing security measures in outdated systems. Once executed, Wingbird is installed, granting the attackers persistent access and control.
The group’s tactics extend beyond initial compromise. Wingbird, their custom backdoor, exhibits several behaviors that trigger advanced threat detection systems, indicating various stages of the malware kill chain. These include attempts to gain higher privileges, delete malicious files, use DLL side-loading techniques, and inject code into legitimate processes. Such behaviors highlight the group’s efforts to maintain stealth and persistence within compromised environments. NEODYMIUM’s focus on individual computers rather than entire networks for Wingbird deployment suggests a targeted approach for information theft and espionage.
Notable Campaigns
The most widely reported and defining campaign attributed to NEODYMIUM occurred in May 2016. In this instance, NEODYMIUM and PROMETHIUM conducted twin zero-day attacks, specifically targeting individuals in Europe. Both groups leveraged an exploit for CVE-2016-4117, a then-unknown vulnerability in Adobe Flash Player. While PROMETHIUM distributed malicious links through instant messengers, NEODYMIUM utilized carefully crafted spear-phishing emails with attachments to deliver the exploit and subsequently install their Wingbird backdoor.
This campaign highlighted NEODYMIUM’s capability to acquire and deploy zero-day exploits, indicating a significant level of sophistication and resources. The consistent targeting of Turkish victims during this period, as well as throughout their documented activity, further underscores their regional focus.
Associated Malware & Tools
NEODYMIUM’s primary tool of choice is a custom backdoor identified by Microsoft as Wingbird. This malware possesses characteristics that closely match FinFisher, a commercial government-grade surveillance tool. Security researchers have suggested that Wingbird could be a newer variant of FinFisher, given the overlapping functionalities such as keylogging and screenshot capabilities. Wingbird is designed to attack individual computers rather than broad network infiltration, aligning with NEODYMIUM’s espionage motivation.
Technical analysis of Wingbird reveals its use of advanced techniques to evade detection and maintain persistence. It is obfuscated at the source code level to hinder analysis and can inject malicious code into legitimate processes, making it difficult for traditional security tools to detect. Additionally, Wingbird checks for the presence of specific FinFisher components, like ico_sf46.ico, further cementing its suspected link to the government spyware.
Current Status
Publicly available information suggests that NEODYMIUM’s documented activity largely peaked around 2016-2017. While their last observed activity as of a June 2022 profile update was September 2017, the nature of cyber espionage groups means that a lack of recent public reporting does not necessarily equate to complete inactivity or disbandment. It is common for sophisticated threat actors to adapt their tactics, techniques, and procedures (TTPs) and infrastructure to avoid detection, potentially leading to a period of “going dark” before re-emerging under new guises or with updated toolsets. Therefore, despite no recent notable campaigns being widely reported, it is prudent to consider NEODYMIUM as an ongoing, albeit possibly restructured, threat, especially given their suspected state-sponsored backing and specific targeting objectives. Their operational status remains officially unknown, but their historical capabilities warrant continued vigilance.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call