Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

SOC

12/10/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

APTs in 2018: A Mix of Old & New

Established threat groups and new players alike made for an active APTs scene this year, according to researchers with Kaspersky Lab.

The picture of advanced persistent threats (APTs) in 2018 has been one of established threat groups such as Sofacy and Turla continuing their work, an Olympic Destroyer attack that was among the most sophisticated false flags, the re-emergence of some bad actors that had been absent from the scene, the rise of new players, and a growing effort by governments to slow the number of attacks by naming suspected culprits.

In their report, "APT Review of the Year," researchers with Kaspersky Lab noted that getting a clear view of all the key developments in this area of security is difficult because "everybody has partial visibility and it's never possible to really understand the motivations of some attacks or the developments behind them."

However, it's important to understand what happened in 2018 to get a better idea of what to expect as the calendar turns to 2019, according to Vicente Diaz, security researcher at Kaspersky Lab Global Research and Analysis Team.

"We believe that APT activity is becoming part of the operations of every nation-state," Diaz told Security Now in an email. "Such activity includes different agencies working in parallel, different groups offering their services, and external companies selling their tools. All of this results in a picture where older, well-established actors are thinking about new, more sophisticated ways of achieving their objectives and silently moving away from the noisy wave of newcomers. The rapid increase in the number of new actors also means that there is an increasing number of potential targets. This is reality, and although it is complex, it is necessary for defenders to understand how it is evolving so that we can fight against it."

The threat groups behind many of these APTs were a mix of large, known actors, new ones and some that had returned after a period of hibernation.

Familiar names
The first included several known Russian-speaking groups such as Sofacy, Trula and CozyBear. Sofacy appeared to be the most active, being seen by Kaspersky researchers in various operations throughout 2018 and updating their tools. The campaigns included Gamefish, an update of its DealersChoice framework and the malware attack on Computrace's LoJack technology for PCs via a UEFI-type rootkit. In addition, the Zebrocy tool used by Sofacy saw a range of improvements, convincing the researchers that others may have been using and building on it.

Sofacy also is suspected of being involved in the OlympicDestroyer false flag operation. (See Olympic Destroyer Returns With Attacks in Europe.)

Turla was found using LightNeuron targeting Exchange servers, a backdoor that had been used to infect Germany's Foreign Office in 2017 and a new variant of its Carbon malware. In addition, Cozy Bear -- also known as CozyDuke -- was detected last month targeting diplomatic and governmental entities in Europe.

Some groups that had been out of circulation emerged in 2018, including Kimsuky, DarkHotel, LuckyMouse and APT10 (which was suspected to be behind the OceanSalt campaign) in Southeast Asia and Middle East groups like Prince of Persia, OilRig, MuddyWaters and GazaTeam. (See McAfee: Seasalt Malware Raises Its Head Again.)

New groups also sprang up, including an array of bad actors in Southeast Asia like ShaggyPanther, Sidewinder, CardinalLizard and TropicTrooper.

"As a rule, these groups are not that technically advanced, using a variety of approaches to achieve their objectives," the researchers wrote in their report. "They are usually interested in regional targets, with their main objectives being governmental and also military."

Other new groups include LazyMerkaats, FruityArmor and OpParliament in the Middle East and DustSquad, ParkingBear and Gallmaker in Eastern Europe.

New goals
The researchers also noted a shift in targets of many of the APT groups mentioned, writing that even if some of the activity "doesn't seem that technically advanced, it doesn't mean it isn't effective. Looking back, we can cite a few public cases where it looks like these attacks are returning to the days when attackers were after major strategic research or blueprints that might be of the interest to state-sponsored groups, and not just some random data."

To combat the APT campaigns, governments took to publicly identifying suspects in a "naming and shaming" effort.

For example, US officials released details of the North Korean citizen they said was part of the Lazarus group behind the attack on Sony and the WannaCry ransomware. In addition, the Justice Department indicted Russian citizens and officers of Russia's GRU as part of the investigation into the country's interference into US elections.

However, it's unclear how effective the naming-and-shaming campaigns are, Kaspersky's Diaz said.

"We shall see," he said. "Although we cannot know for sure, it seems as if the previous US-China agreement [of 2015] slowed down APT activity. The 'naming and shaming' strategy is much more aggressive, since it makes public details of different attacks. It is not clear how well this might work in reducing attacks, or whether the approach will simply be used just to justify other, even more aggressive actions. Whether the final outcome will be a decline or an escalation in activity is not known."

However, what is known is that "in this complex landscape, it is becoming more and more important to have threat intelligence capabilities," Diaz said. "We don't mean just buying a service, but having the capabilities to digest what's going on with a broad perspective."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14318
PUBLISHED: 2020-12-03
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
CVE-2020-2320
PUBLISHED: 2020-12-03
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
CVE-2020-2321
PUBLISHED: 2020-12-03
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
CVE-2020-2322
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVE-2020-2323
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.