Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

SOC

12/10/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

APTs in 2018: A Mix of Old & New

Established threat groups and new players alike made for an active APTs scene this year, according to researchers with Kaspersky Lab.

The picture of advanced persistent threats (APTs) in 2018 has been one of established threat groups such as Sofacy and Turla continuing their work, an Olympic Destroyer attack that was among the most sophisticated false flags, the re-emergence of some bad actors that had been absent from the scene, the rise of new players, and a growing effort by governments to slow the number of attacks by naming suspected culprits.

In their report, "APT Review of the Year," researchers with Kaspersky Lab noted that getting a clear view of all the key developments in this area of security is difficult because "everybody has partial visibility and it's never possible to really understand the motivations of some attacks or the developments behind them."

However, it's important to understand what happened in 2018 to get a better idea of what to expect as the calendar turns to 2019, according to Vicente Diaz, security researcher at Kaspersky Lab Global Research and Analysis Team.

"We believe that APT activity is becoming part of the operations of every nation-state," Diaz told Security Now in an email. "Such activity includes different agencies working in parallel, different groups offering their services, and external companies selling their tools. All of this results in a picture where older, well-established actors are thinking about new, more sophisticated ways of achieving their objectives and silently moving away from the noisy wave of newcomers. The rapid increase in the number of new actors also means that there is an increasing number of potential targets. This is reality, and although it is complex, it is necessary for defenders to understand how it is evolving so that we can fight against it."

The threat groups behind many of these APTs were a mix of large, known actors, new ones and some that had returned after a period of hibernation.

Familiar names
The first included several known Russian-speaking groups such as Sofacy, Trula and CozyBear. Sofacy appeared to be the most active, being seen by Kaspersky researchers in various operations throughout 2018 and updating their tools. The campaigns included Gamefish, an update of its DealersChoice framework and the malware attack on Computrace's LoJack technology for PCs via a UEFI-type rootkit. In addition, the Zebrocy tool used by Sofacy saw a range of improvements, convincing the researchers that others may have been using and building on it.

Sofacy also is suspected of being involved in the OlympicDestroyer false flag operation. (See Olympic Destroyer Returns With Attacks in Europe.)

Turla was found using LightNeuron targeting Exchange servers, a backdoor that had been used to infect Germany's Foreign Office in 2017 and a new variant of its Carbon malware. In addition, Cozy Bear -- also known as CozyDuke -- was detected last month targeting diplomatic and governmental entities in Europe.

Some groups that had been out of circulation emerged in 2018, including Kimsuky, DarkHotel, LuckyMouse and APT10 (which was suspected to be behind the OceanSalt campaign) in Southeast Asia and Middle East groups like Prince of Persia, OilRig, MuddyWaters and GazaTeam. (See McAfee: Seasalt Malware Raises Its Head Again.)

New groups also sprang up, including an array of bad actors in Southeast Asia like ShaggyPanther, Sidewinder, CardinalLizard and TropicTrooper.

"As a rule, these groups are not that technically advanced, using a variety of approaches to achieve their objectives," the researchers wrote in their report. "They are usually interested in regional targets, with their main objectives being governmental and also military."

Other new groups include LazyMerkaats, FruityArmor and OpParliament in the Middle East and DustSquad, ParkingBear and Gallmaker in Eastern Europe.

New goals
The researchers also noted a shift in targets of many of the APT groups mentioned, writing that even if some of the activity "doesn't seem that technically advanced, it doesn't mean it isn't effective. Looking back, we can cite a few public cases where it looks like these attacks are returning to the days when attackers were after major strategic research or blueprints that might be of the interest to state-sponsored groups, and not just some random data."

To combat the APT campaigns, governments took to publicly identifying suspects in a "naming and shaming" effort.

For example, US officials released details of the North Korean citizen they said was part of the Lazarus group behind the attack on Sony and the WannaCry ransomware. In addition, the Justice Department indicted Russian citizens and officers of Russia's GRU as part of the investigation into the country's interference into US elections.

However, it's unclear how effective the naming-and-shaming campaigns are, Kaspersky's Diaz said.

"We shall see," he said. "Although we cannot know for sure, it seems as if the previous US-China agreement [of 2015] slowed down APT activity. The 'naming and shaming' strategy is much more aggressive, since it makes public details of different attacks. It is not clear how well this might work in reducing attacks, or whether the approach will simply be used just to justify other, even more aggressive actions. Whether the final outcome will be a decline or an escalation in activity is not known."

However, what is known is that "in this complex landscape, it is becoming more and more important to have threat intelligence capabilities," Diaz said. "We don't mean just buying a service, but having the capabilities to digest what's going on with a broad perspective."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26246
PUBLISHED: 2020-12-03
Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions.
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.