Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

SOC

12/10/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

APTs in 2018: A Mix of Old & New

Established threat groups and new players alike made for an active APTs scene this year, according to researchers with Kaspersky Lab.

The picture of advanced persistent threats (APTs) in 2018 has been one of established threat groups such as Sofacy and Turla continuing their work, an Olympic Destroyer attack that was among the most sophisticated false flags, the re-emergence of some bad actors that had been absent from the scene, the rise of new players, and a growing effort by governments to slow the number of attacks by naming suspected culprits.

In their report, "APT Review of the Year," researchers with Kaspersky Lab noted that getting a clear view of all the key developments in this area of security is difficult because "everybody has partial visibility and it's never possible to really understand the motivations of some attacks or the developments behind them."

However, it's important to understand what happened in 2018 to get a better idea of what to expect as the calendar turns to 2019, according to Vicente Diaz, security researcher at Kaspersky Lab Global Research and Analysis Team.

"We believe that APT activity is becoming part of the operations of every nation-state," Diaz told Security Now in an email. "Such activity includes different agencies working in parallel, different groups offering their services, and external companies selling their tools. All of this results in a picture where older, well-established actors are thinking about new, more sophisticated ways of achieving their objectives and silently moving away from the noisy wave of newcomers. The rapid increase in the number of new actors also means that there is an increasing number of potential targets. This is reality, and although it is complex, it is necessary for defenders to understand how it is evolving so that we can fight against it."

The threat groups behind many of these APTs were a mix of large, known actors, new ones and some that had returned after a period of hibernation.

Familiar names
The first included several known Russian-speaking groups such as Sofacy, Trula and CozyBear. Sofacy appeared to be the most active, being seen by Kaspersky researchers in various operations throughout 2018 and updating their tools. The campaigns included Gamefish, an update of its DealersChoice framework and the malware attack on Computrace's LoJack technology for PCs via a UEFI-type rootkit. In addition, the Zebrocy tool used by Sofacy saw a range of improvements, convincing the researchers that others may have been using and building on it.

Sofacy also is suspected of being involved in the OlympicDestroyer false flag operation. (See Olympic Destroyer Returns With Attacks in Europe.)

Turla was found using LightNeuron targeting Exchange servers, a backdoor that had been used to infect Germany's Foreign Office in 2017 and a new variant of its Carbon malware. In addition, Cozy Bear -- also known as CozyDuke -- was detected last month targeting diplomatic and governmental entities in Europe.

Some groups that had been out of circulation emerged in 2018, including Kimsuky, DarkHotel, LuckyMouse and APT10 (which was suspected to be behind the OceanSalt campaign) in Southeast Asia and Middle East groups like Prince of Persia, OilRig, MuddyWaters and GazaTeam. (See McAfee: Seasalt Malware Raises Its Head Again.)

New groups also sprang up, including an array of bad actors in Southeast Asia like ShaggyPanther, Sidewinder, CardinalLizard and TropicTrooper.

"As a rule, these groups are not that technically advanced, using a variety of approaches to achieve their objectives," the researchers wrote in their report. "They are usually interested in regional targets, with their main objectives being governmental and also military."

Other new groups include LazyMerkaats, FruityArmor and OpParliament in the Middle East and DustSquad, ParkingBear and Gallmaker in Eastern Europe.

New goals
The researchers also noted a shift in targets of many of the APT groups mentioned, writing that even if some of the activity "doesn't seem that technically advanced, it doesn't mean it isn't effective. Looking back, we can cite a few public cases where it looks like these attacks are returning to the days when attackers were after major strategic research or blueprints that might be of the interest to state-sponsored groups, and not just some random data."

To combat the APT campaigns, governments took to publicly identifying suspects in a "naming and shaming" effort.

For example, US officials released details of the North Korean citizen they said was part of the Lazarus group behind the attack on Sony and the WannaCry ransomware. In addition, the Justice Department indicted Russian citizens and officers of Russia's GRU as part of the investigation into the country's interference into US elections.

However, it's unclear how effective the naming-and-shaming campaigns are, Kaspersky's Diaz said.

"We shall see," he said. "Although we cannot know for sure, it seems as if the previous US-China agreement [of 2015] slowed down APT activity. The 'naming and shaming' strategy is much more aggressive, since it makes public details of different attacks. It is not clear how well this might work in reducing attacks, or whether the approach will simply be used just to justify other, even more aggressive actions. Whether the final outcome will be a decline or an escalation in activity is not known."

However, what is known is that "in this complex landscape, it is becoming more and more important to have threat intelligence capabilities," Diaz said. "We don't mean just buying a service, but having the capabilities to digest what's going on with a broad perspective."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25136
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though li...
CVE-2020-25135
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the graph_title parameter to the graphs/ URI.
CVE-2020-25134
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though li...
CVE-2020-25133
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though li...
CVE-2020-25132
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending the improper variable type Array allows a bypass of core SQL Inject...