Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

SOC

12/10/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

APTs in 2018: A Mix of Old & New

Established threat groups and new players alike made for an active APTs scene this year, according to researchers with Kaspersky Lab.

The picture of advanced persistent threats (APTs) in 2018 has been one of established threat groups such as Sofacy and Turla continuing their work, an Olympic Destroyer attack that was among the most sophisticated false flags, the re-emergence of some bad actors that had been absent from the scene, the rise of new players, and a growing effort by governments to slow the number of attacks by naming suspected culprits.

In their report, "APT Review of the Year," researchers with Kaspersky Lab noted that getting a clear view of all the key developments in this area of security is difficult because "everybody has partial visibility and it's never possible to really understand the motivations of some attacks or the developments behind them."

However, it's important to understand what happened in 2018 to get a better idea of what to expect as the calendar turns to 2019, according to Vicente Diaz, security researcher at Kaspersky Lab Global Research and Analysis Team.

(Source: iStock)
(Source: iStock)

"We believe that APT activity is becoming part of the operations of every nation-state," Diaz told Security Now in an email. "Such activity includes different agencies working in parallel, different groups offering their services, and external companies selling their tools. All of this results in a picture where older, well-established actors are thinking about new, more sophisticated ways of achieving their objectives and silently moving away from the noisy wave of newcomers. The rapid increase in the number of new actors also means that there is an increasing number of potential targets. This is reality, and although it is complex, it is necessary for defenders to understand how it is evolving so that we can fight against it."

The threat groups behind many of these APTs were a mix of large, known actors, new ones and some that had returned after a period of hibernation.

Familiar names
The first included several known Russian-speaking groups such as Sofacy, Trula and CozyBear. Sofacy appeared to be the most active, being seen by Kaspersky researchers in various operations throughout 2018 and updating their tools. The campaigns included Gamefish, an update of its DealersChoice framework and the malware attack on Computrace's LoJack technology for PCs via a UEFI-type rootkit. In addition, the Zebrocy tool used by Sofacy saw a range of improvements, convincing the researchers that others may have been using and building on it.

Sofacy also is suspected of being involved in the OlympicDestroyer false flag operation. (See Olympic Destroyer Returns With Attacks in Europe.)

Turla was found using LightNeuron targeting Exchange servers, a backdoor that had been used to infect Germany's Foreign Office in 2017 and a new variant of its Carbon malware. In addition, Cozy Bear -- also known as CozyDuke -- was detected last month targeting diplomatic and governmental entities in Europe.

Some groups that had been out of circulation emerged in 2018, including Kimsuky, DarkHotel, LuckyMouse and APT10 (which was suspected to be behind the OceanSalt campaign) in Southeast Asia and Middle East groups like Prince of Persia, OilRig, MuddyWaters and GazaTeam. (See McAfee: Seasalt Malware Raises Its Head Again.)

(Source: Kaspersky Lab)\r\n\r\n
(Source: Kaspersky Lab)\r\n\r\n

New groups also sprang up, including an array of bad actors in Southeast Asia like ShaggyPanther, Sidewinder, CardinalLizard and TropicTrooper.

"As a rule, these groups are not that technically advanced, using a variety of approaches to achieve their objectives," the researchers wrote in their report. "They are usually interested in regional targets, with their main objectives being governmental and also military."

Other new groups include LazyMerkaats, FruityArmor and OpParliament in the Middle East and DustSquad, ParkingBear and Gallmaker in Eastern Europe.

New goals
The researchers also noted a shift in targets of many of the APT groups mentioned, writing that even if some of the activity "doesn't seem that technically advanced, it doesn't mean it isn't effective. Looking back, we can cite a few public cases where it looks like these attacks are returning to the days when attackers were after major strategic research or blueprints that might be of the interest to state-sponsored groups, and not just some random data."

To combat the APT campaigns, governments took to publicly identifying suspects in a "naming and shaming" effort.

For example, US officials released details of the North Korean citizen they said was part of the Lazarus group behind the attack on Sony and the WannaCry ransomware. In addition, the Justice Department indicted Russian citizens and officers of Russia's GRU as part of the investigation into the country's interference into US elections.

However, it's unclear how effective the naming-and-shaming campaigns are, Kaspersky's Diaz said.

"We shall see," he said. "Although we cannot know for sure, it seems as if the previous US-China agreement [of 2015] slowed down APT activity. The 'naming and shaming' strategy is much more aggressive, since it makes public details of different attacks. It is not clear how well this might work in reducing attacks, or whether the approach will simply be used just to justify other, even more aggressive actions. Whether the final outcome will be a decline or an escalation in activity is not known."

However, what is known is that "in this complex landscape, it is becoming more and more important to have threat intelligence capabilities," Diaz said. "We don't mean just buying a service, but having the capabilities to digest what's going on with a broad perspective."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...