Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/11/2019
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT Groups Make Quadruple What They Spend on Attack Tools

Some advanced persistent threat actors can spend north of $1 million on attacks, but the return on that investment can be huge.

Advanced persistent threat (APT) groups can sometimes spend a substantial amount of money mounting attacks on large, well-protected organizations. But for every dollar they spend, the payoff can be four times as much or more, a new study from Positive Technologies has found.

The security vendor analyzed the tools and tactics that 29 active APT groups are currently using in campaigns worldwide against organizations in multiple sectors, including finance, manufacturing, and government.

For the analysis, Positive Technologies looked at how much these groups have been spending, on average, to gain initial access to a target network and how much they are spending on developing the attack after they gain a foothold. The security vendor considered data both for financially motivated APT groups and separately for groups focused on cyberespionage and spying. The data was obtained from Positive Technologies' monitoring of active threat groups and from Dark Web and publicly available sources.

The exercise shows that the starting price for a full set of tools for attacks on large financial enterprises could be as high as $55,000, while some cyber espionage campaigns can start at over $500,000. But when the attacks are successful. the payoffs can be enormous as well.

For instance "Silence," a well-known, financially motivated cybercrime group, last year stole the equivalent of $930,000 from Russia's PIR Bank. To pull off the caper, the group likely spent about $66,000 upfront on tools for creating malicious email attachments, stealing from the bank's ATMs, spying on the bank's employees, and on other legitimate penetration testing tools and homegrown malware, Positive Technologies estimates.

In addition, Silence likely forked out between 15% and 50% of the loot on money mules and other services that actually withdrew cash from PIR Bank's ATMs — still leaving the threat actor with substantially more than it spent.

"The potential benefit from an attack far exceeds the cost of a starter kit, says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. For groups like Silence, the profit from one attack is typically more than quadruple the cost of the attack toolset, she says.

The ROI for some APT groups can be many magnitudes higher. Positive Technologies, for instance, estimated that APT38, a profit-driven threat group with suspected backing from the North Korean government, spends more than $500,000 for carrying out attacks on financial institutions but gets over $41 million in return on average. A lot of the money that APT38 spends is on tools similar to those used by groups engaged in cyber espionage campaigns.

Building an effective system of protection against APTs can be expensive, Galloway says. For most organizations that have experienced an APT attack, the cost of restoring infrastructure in many cases is the main item of expenditure. "It can be much more than direct financial damage from an attack," she says.

Positive Technologies' breakdown of attack costs shows that financially motivated APT groups typically spend a relatively low amount on gaining initial access. In nine out of 10 attacks, the threat actors use spear-phishing as a way to penetrate the company's internal network.

From $100 to Over $1 Million
Tools for creating the malicious attachments — or exploit builders — used in these email campaigns can range from as little as $300 to $2,500 for a monthly subscription to services for creating documents with malicious content. In some cases, exploit builders can cost substantially more. Positive Technologies estimates that the Cobalt Group, a group associated with attacks on numerous financial institutes, in 2017 paid $10,000 for malware it used in phishing emails to exploit a remote code execution vulnerability in Microsoft Office.

Meanwhile, APT groups that are focused on spying and cyber espionage rarely buy their initial access tools from Dark Web marketplaces and instead tend to use custom exploit builders. Prices for these are impossible to estimate, but evidence shows such groups are willing to pay even $20,000 for these tools, Positive Technologies said. For zero-day vulnerabilities, some APT groups don't flinch at paying as much as $1 million.

Once inside a network, APT groups — both the financially motivated ones and the cyberspies — tend to rely heavily on legitimate, publicly available tools and custom products rather than Dark Web tools. The most commonly used legitimate tools are penetration-testing platforms such as Cobalt Strike and Metasploit, Galloway says. Legal utilities for administration, such as Sysinternals Suite, and remote access tools, like TeamViewer, Radmin, and AmmyAdmin, are all popular as well.

While these tools can be obtained legally via public access, APT actors are often forced to shop for them in underground forums because of how some vendors vet their buyers before selling to them. Prices for these tools can range from as little as $100 for a modified version of TeamViewer to $15,000 for a modified version of Metasploit Pro with one year of technical support.

The cost for some specialized tools that APT groups use can be relatively steep. Tools for escalating OS privileges can easily cost $10,000, while those that take advantage of zero-day vulnerabilities in Adobe products, for instance, can fetch over $130,000. Positive Technologies estimates that cyber espionage group FinSpy has spent some $1.6 million on FinFisher, a framework that allows it to spy on users through webcam and microphone, capture email and chat messages, steal sensitve data, and employ a variety of anti-analysis techniques.

These tools can be hard to defend against, which is why many APT groups are willing to spend on them. "It is almost impossible to stop APT attacks at the stage of infrastructure penetration, and it is extremely difficult to do it at the stages of consolidation and distribution in the infrastructure," Galloway says.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.