8 Nation-State Hacking Groups to Watch in 2018
The aliases, geographies, famous attacks, and behaviors of some of the most prolific threat groups.
The nation-state threat landscape is constantly shifting. Threat actors alter strategies, switch targets, change tools - and for organizations who need to defend against these groups, keeping track of the players can seem impossible.
Some hotbed regions are getting hotter, and some big-name actors are getting bigger. A perfect example is Fancy Bear (also known as APT28 and Sofacy), one of many groups believed to act out of Russia and Eastern Europe. The group is thought to be an arm of the Russian military intelligence agency GRU.
"[Fancy Bear] is probably the most famous group right now," says John Hultquist, FireEye director of intel analysis, who expects Fancy Bear will become even more brazen over the course of this year. Security experts point to Fancy Bear as the predominant threat group to watch in 2018 as it widens its bullseye to include more corporate targets.
North Korea is another hotbed for cyberattacks. The North Korean regime has invested significant resources in its cyber capabilities and groups from the area have been linked to a variety of activity, from the infamous Sony breach, to WannaCry and cryptocurrency mining.
Here are the nation-state threat groups security researchers are watching most closely - and the aliases, geographies, behaviors, past attacks, and changing strategies related to each one.
Also known as: Fancy Bear, APT28, Sofacy, Strontium, Sednit
Believed to operate out of: Russia
Usual targets: Fancy Bear's targets are primarily based in Europe and tend to include government ministries, though past attacks have targeted global embassies and the United States. The group has been known to target based on policies and it's interested in anything related to NATO, says Brian Bartholomew, principal security researcher at Kaspersky Lab. These days, he says Fancy Bear has its eyes on the Olympics.
Behavior: Its strength is spearphishing, says Bartholomew, adding that this is the main tactic for most threat groups. Fancy Bear has splintered into different subgroups, each of which is responsible for a different part of the attack. One subset focuses on phishing as many targets as possible. Once they're on a system, the next subset uses toolsets to maintain persistence.
Fancy Bear has also been known to leverage social media in its attacks, and spread disinformation campaigns, Bartholomew says. For example, it's believed to have hacked the anti-doping administration and tried to feed altered data to journalists, says Bartholomew. Some don't attribute this to Sofacy, he notes, but "we're pretty certain it is them." The group's toolkit is constantly evolving, but it does use a core backdoor called XAgent, says Alexis Dorais-Joncas, security intelligence team lead at ESET.
Tied to: Attacks on the Democratic National Committee, International Association of Athletics Federations, and German Parliament; influencing the 2016 US presidential election.
"I think what's so surprising about their activity is, despite continued accusations and exposures, they had not let up," says Hultquist, who expects increased activity during the Olympics and elections. "They've shown disregard for global norms and willingness to cross lines we never thought we'd see crossed."
Also known as: DarkSeoul, Hermit
Believed to operate out of: North Korea
Usual targets: South Korea, United States, financial organizations for monetary gain.
Worth noting: "We believe there is more than one North Korean group," says Hultquist. It's difficult to break down groups in the region because of the way they operate. There aren't many Internet streams coming from North Korea so oftentimes activity from different groups gets muddled together.
Behavior: Groups in the region are strong at social media attacks, says Bartholomew. Attackers typically target victims on Facebook Messenger, LinkedIn, Twitter, and other platforms. "They'll spend a lot of efforts doing social campaigns figuring out who to target, then go after them slowly," he explains.
"We're not seeing an end to financially motivated activities," says Hultquist. "It's global and it is multi-million -- we're talking hundreds of millions of dollars at stake." Most nation-state threat groups limit their activities to espionage or destruction; the additional practice of financial cybercrime seems to be unique to North Korea, researchers say. Lazarus Group was behind the massive Sony data-destruction and doxing attack, and one of its subgroups has been tied to attacks on cryptocurrency exchanges and the SWIFT banking network.
Believed to operate out of: North Korea
Usual targets: Financial institutions
Behavior: "Basically, they're the financiers of the cyber world," says Bartholomew of Bluenoroff, a branch of Lazarus Group specifically focused on financial businesses. Its goal is to gain cryptocurrency to finance their attack efforts.
Tied to: High-profile crypto hacks involving large sums of money from specific exchanges, including the attacks on the SWIFT network. Security researchers expect this activity to continue - especially as sanctions on the North Korean government and economy continue. "Sanctions are going to be tightened more, and these guys are going to get more active so they can continue to finance things," Bartholomew explains.
Also known as: Snake, Venomous Bear, Waterbug
Believed to operate out of: Eastern Europe
Usual targets: Typically, former Soviet republics (Kazakhstan, Turkmenistan), as well as embassies in Moscow. Campaigns have also targeted diplomats in Eastern Europe, global consulates and embassies, and ministries of foreign affairs of European countries, says Dorais-Joncas. It has also targeted the US Department of State.
Behavior: The group has been known to leverage social engineering to trick targets into installing malware. Attackers often use watering hole attacks, which Bartholomew predicts will continue as it doesn't often change tactics - only a few times each year, and not much in 2017, he says.
"We've seen distribution of fake, infected Flash updater on an Adobe subdomain pointing to one of their legitimate CDN IP addresses," Dorais-Joncas says, adding that Adobe has confirmed it hadn't been compromised or distributed the malicious files. Turla combined one of its backdoors with a legitimate Adobe Flash installer and downloaded the malware from real Adobe URLs and IP addresses, then got infected machines to return sensitive data to legitimate Adobe URLs.
Turla has been around for a while but began to increase activity in 2017 after a period of quiet. This past summer, it began using an undocumented backdoor to spy on embassies and consulates. A separate campaign, dubbed WhiteBear, is believed to be phase two of Turla project White Atlas. Like this campaign and others by Turla, its C&C infrastructure is made up of hijacked websites and satellite connections. Later that summer, researchers noticed Turla targeting G20 participants and interested parties (policymakers, nations, journalists) with KopiLuwak, a backdoor it has been known to use.
Also known as: Reaper, Group 123
Believed to operate out of: North Korea
Usual targets: South Korean government, military, and defense industrial base
Behavior: Scarcruft, or Reaper (not to be confused with the IoT botnet named Reaper) has so far been less prolific, but is starting to cause concern, according to researchers. Up until now, the group hadn't demonstrated strong sophistication or focus outside the Korean peninsula. Now the group has been linked to latest Adobe Flash zero-day, a sign that it is growing in strength. Hultquist says Scarcruft has been seen doing strategic Web compromises, specifically on websites related to North Korean interests like unification or defectors.
Also known as: Cozy Bear, CozyDuke, The Dukes
Believed to operate out of: Eastern Europe/Russia
Usual targets: Western European governments, foreign policy groups, similar organizations. APT29 has also targeted think tanks and NGOs.
Behavior: APT29 usually hides activity on victims' networks by disguising infrequent communication to resemble legitimate traffic, and by using legitimate popular Web services and taking advantage of encrypted SSL connections. It only uses compromised servers for C&C communication and deploys its own backdoors to fix bugs and add new features, report researchers at FireEye.
APT29 has also used social media platforms like Twitter and GitHub, and cloud storage services, to relay commands and take data from compromised networks. Spearphishing campaigns in recent years have targeted the US government.
Also known as: Newscaster, Charming Kitten
Believed to operate out of: Middle East - specifically Iran
Usual targets: Global range but recent focus is on Middle East, particularly Saudi Arabia and Israel
Behavior: "They've been carrying out global incidents," says Hultquist. "We've seen some overlap between them and destructive incidents and haven't been able to completely connect the two."
APT35 focuses on social engineering through social networks. Attackers create fake personae in social networks and use them to infiltrate organizations by sending links to employees. Unlike email, which typically has built-in defenses, social media is less monitored and businesses don't have as much control. While the group's targets have shifted as relations between the US and Iran have improved, Hultquist anticipates we'll see more of them going forward.
Also known as: BlackEnergy, Electrum, Iridium
Believed to operate out of: Eastern Europe
Usual targets: Ukraine
Behavior: Sandworm has been known to appear then disappear in waves with its attacks, which primarily target Ukraine, and experts agree we'll see more of these attacks in 2018. The group frequently uses spearphishing and has recently begun targeting the supply chain, a move likely to increase its target base, says Hultquist. While Ukraine is its primary target for ICS/SCADA attacks, there's always a chance Sandworm will broaden its reach. It previously researched a potential attack on US utility systems.
"Given that this activity doesn't appear to be declining or shrinking, the danger of them shifting and targeting outside Ukraine continues to increase," says Hultquist. "That could have serious repercussions for corporations operating all around the world."
Tied to: Ukraine power grid attacks of December 2015 and December 2016 . Hultquist and other security researchers have also linked the group to last summer's NotPetya attack, a destructive campaign which also primarily targeted Ukraine.
Also known as: BlackEnergy, Electrum, Iridium
Believed to operate out of: Eastern Europe
Usual targets: Ukraine
Behavior: Sandworm has been known to appear then disappear in waves with its attacks, which primarily target Ukraine, and experts agree we'll see more of these attacks in 2018. The group frequently uses spearphishing and has recently begun targeting the supply chain, a move likely to increase its target base, says Hultquist. While Ukraine is its primary target for ICS/SCADA attacks, there's always a chance Sandworm will broaden its reach. It previously researched a potential attack on US utility systems.
"Given that this activity doesn't appear to be declining or shrinking, the danger of them shifting and targeting outside Ukraine continues to increase," says Hultquist. "That could have serious repercussions for corporations operating all around the world."
Tied to: Ukraine power grid attacks of December 2015 and December 2016 . Hultquist and other security researchers have also linked the group to last summer's NotPetya attack, a destructive campaign which also primarily targeted Ukraine.
The nation-state threat landscape is constantly shifting. Threat actors alter strategies, switch targets, change tools - and for organizations who need to defend against these groups, keeping track of the players can seem impossible.
Some hotbed regions are getting hotter, and some big-name actors are getting bigger. A perfect example is Fancy Bear (also known as APT28 and Sofacy), one of many groups believed to act out of Russia and Eastern Europe. The group is thought to be an arm of the Russian military intelligence agency GRU.
"[Fancy Bear] is probably the most famous group right now," says John Hultquist, FireEye director of intel analysis, who expects Fancy Bear will become even more brazen over the course of this year. Security experts point to Fancy Bear as the predominant threat group to watch in 2018 as it widens its bullseye to include more corporate targets.
North Korea is another hotbed for cyberattacks. The North Korean regime has invested significant resources in its cyber capabilities and groups from the area have been linked to a variety of activity, from the infamous Sony breach, to WannaCry and cryptocurrency mining.
Here are the nation-state threat groups security researchers are watching most closely - and the aliases, geographies, behaviors, past attacks, and changing strategies related to each one.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024