Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/11/2019
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT Groups Make Quadruple What They Spend on Attack Tools

Some advanced persistent threat actors can spend north of $1 million on attacks, but the return on that investment can be huge.

Advanced persistent threat (APT) groups can sometimes spend a substantial amount of money mounting attacks on large, well-protected organizations. But for every dollar they spend, the payoff can be four times as much or more, a new study from Positive Technologies has found.

The security vendor analyzed the tools and tactics that 29 active APT groups are currently using in campaigns worldwide against organizations in multiple sectors, including finance, manufacturing, and government.

For the analysis, Positive Technologies looked at how much these groups have been spending, on average, to gain initial access to a target network and how much they are spending on developing the attack after they gain a foothold. The security vendor considered data both for financially motivated APT groups and separately for groups focused on cyberespionage and spying. The data was obtained from Positive Technologies' monitoring of active threat groups and from Dark Web and publicly available sources.

The exercise shows that the starting price for a full set of tools for attacks on large financial enterprises could be as high as $55,000, while some cyber espionage campaigns can start at over $500,000. But when the attacks are successful. the payoffs can be enormous as well.

For instance "Silence," a well-known, financially motivated cybercrime group, last year stole the equivalent of $930,000 from Russia's PIR Bank. To pull off the caper, the group likely spent about $66,000 upfront on tools for creating malicious email attachments, stealing from the bank's ATMs, spying on the bank's employees, and on other legitimate penetration testing tools and homegrown malware, Positive Technologies estimates.

In addition, Silence likely forked out between 15% and 50% of the loot on money mules and other services that actually withdrew cash from PIR Bank's ATMs — still leaving the threat actor with substantially more than it spent.

"The potential benefit from an attack far exceeds the cost of a starter kit, says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. For groups like Silence, the profit from one attack is typically more than quadruple the cost of the attack toolset, she says.

The ROI for some APT groups can be many magnitudes higher. Positive Technologies, for instance, estimated that APT38, a profit-driven threat group with suspected backing from the North Korean government, spends more than $500,000 for carrying out attacks on financial institutions but gets over $41 million in return on average. A lot of the money that APT38 spends is on tools similar to those used by groups engaged in cyber espionage campaigns.

Building an effective system of protection against APTs can be expensive, Galloway says. For most organizations that have experienced an APT attack, the cost of restoring infrastructure in many cases is the main item of expenditure. "It can be much more than direct financial damage from an attack," she says.

Positive Technologies' breakdown of attack costs shows that financially motivated APT groups typically spend a relatively low amount on gaining initial access. In nine out of 10 attacks, the threat actors use spear-phishing as a way to penetrate the company's internal network.

From $100 to Over $1 Million
Tools for creating the malicious attachments — or exploit builders — used in these email campaigns can range from as little as $300 to $2,500 for a monthly subscription to services for creating documents with malicious content. In some cases, exploit builders can cost substantially more. Positive Technologies estimates that the Cobalt Group, a group associated with attacks on numerous financial institutes, in 2017 paid $10,000 for malware it used in phishing emails to exploit a remote code execution vulnerability in Microsoft Office.

Meanwhile, APT groups that are focused on spying and cyber espionage rarely buy their initial access tools from Dark Web marketplaces and instead tend to use custom exploit builders. Prices for these are impossible to estimate, but evidence shows such groups are willing to pay even $20,000 for these tools, Positive Technologies said. For zero-day vulnerabilities, some APT groups don't flinch at paying as much as $1 million.

Once inside a network, APT groups — both the financially motivated ones and the cyberspies — tend to rely heavily on legitimate, publicly available tools and custom products rather than Dark Web tools. The most commonly used legitimate tools are penetration-testing platforms such as Cobalt Strike and Metasploit, Galloway says. Legal utilities for administration, such as Sysinternals Suite, and remote access tools, like TeamViewer, Radmin, and AmmyAdmin, are all popular as well.

While these tools can be obtained legally via public access, APT actors are often forced to shop for them in underground forums because of how some vendors vet their buyers before selling to them. Prices for these tools can range from as little as $100 for a modified version of TeamViewer to $15,000 for a modified version of Metasploit Pro with one year of technical support.

The cost for some specialized tools that APT groups use can be relatively steep. Tools for escalating OS privileges can easily cost $10,000, while those that take advantage of zero-day vulnerabilities in Adobe products, for instance, can fetch over $130,000. Positive Technologies estimates that cyber espionage group FinSpy has spent some $1.6 million on FinFisher, a framework that allows it to spy on users through webcam and microphone, capture email and chat messages, steal sensitve data, and employ a variety of anti-analysis techniques.

These tools can be hard to defend against, which is why many APT groups are willing to spend on them. "It is almost impossible to stop APT attacks at the stage of infrastructure penetration, and it is extremely difficult to do it at the stages of consolidation and distribution in the infrastructure," Galloway says.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.