Critical infrastructure verticals, such as Basic Materials and Government, are attractive targets for cybercriminals and advanced persistent threat (APT) groups. This is because these organizations, such as government agencies and metal, mining, and chemical companies, often maintain sensitive data that could be of interest to other government bodies. Plus, a significant disruption or destruction of the availability and integrity of businesses in these verticals could negatively impact consumer confidence, as well as social, political, and economic services. Cybercriminals such as ransomware groups frequently target these companies because organizations in these verticals cannot afford to suffer significant downtime without having rippling effects on the target countries’ economic stability. Therefore, these actors are more likely to receive a ransom payment. It is noteworthy that both outsider and insider threats. This white paper focuses on the threat actors assessed to pose the biggest threat to basic materials and government entities.

An APT group is a malicious actor who is believed to possess significant and dynamic skills, have virtually unlimited resources, and conduct highly targeted attacks. APT groups have more strategic intentions and often aim to gain initial access and remain undetected for long periods of time—allowing the threat group to steal credentials and sensitive information, as well as deploy backdoors on victim networks. The information targeted from these organizations includes data that would be of strategic interest to foreign governments and larger strategic organizations. APT groups have a significant history of targeting government agencies to collect sensitive information that could be used to gain a strategic advantage for other governments. There are known exceptions in which APT groups also carry out blatant destructive attacks using data and file wiping malware, rather than data exfiltration. The overall intent of APT groups is strategic, rather than financially driven.

As opposed to APT groups, ransomware cybercriminal campaigns focus on the encryption or destruction of files and folders on the targeted endpoint or across the network. Ransomware syndicates have constantly shifted tactics to remain relevant, including rebranding, leveraging known and benign (legitimate) tools to maintain persistence, and building an ecosystem around their own affiliate groups and programs. Such an ecosystem may include hosting and building their own tools, forums, and leak pages.

This blog leverages the Adversary Risk Matrix developed by Optiv’s Global Threat Intelligence Center (gTIC) - a multi-faceted, qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The matrix considers known and assessed non-technical capabilities and intentions.

Basic Materials

Basic Materials is not a vertical that is thought of often as a whole – it includes the Chemical, Metals & Mining, and Paper & Forest verticals. Each of these separate industries is an integral part of the economy, which is why the Basic Materials vertical is an attractive target for both APT and ransomware groups. This vertical faces threats from external actors, natural hazards, and insider threats. Most organizations in the Basic Materials vertical, such as chemicals organizations, rely on older operational technology with cybersecurity guidance that has not been updated in more than a decade.

Three of the APT groups observed targeting Basic Materials vertical are Lazarus Group (aka Labyrinth Chollima, Group 77, Hidden Cobra, Appleworm), Winnti Group (aka BlackFly, Group 72), and APT37 (aka Reaper, Thallium, InkySquid, Ricochet Chollima).

APT37

APT37 (aka Reaper, Thallium, InkySquid, Ricochet Chollima) has been active since 2012. APT37-attributed operations have been linked to North Korea based on the group’s targeting profile, the insight into the group’s malware development, and the probable links to a North Korean individual believed to the developer of several of APT37’s propriety malware families.

In 2018, APT37 was attributed with a campaign targeting multiple organizations, including chemical organizations, in South Korea and Japan. The group distributed malware through torrent file-sharing sites, exploited vulnerabilities in the Hangul Word Processor and Adobe Flash, and leveraged several zero-day exploits in Microsoft Office. APT37’s campaign was likely to collect information, such as trade secrets and credentials, that would be of strategic interest to North Korean government.

Image

Figure 1: Adversary Risk Matrix score for APT37

Alphv

Alphv (aka BlackCat) is a ransomware variant that has been active since at least November 2021. The variant is operated as a Ransomware-as-a-Service (RaaS) operation, meaning the developers lease the ransomware to affiliates interested in conducting cyber extortion. Affiliates earn 80% of payments up to $1.5 million, 85% of payments up to $3 million, and 90% of payments over $3 million. Affiliates are often recruited through Russian-speaking cybercriminal forums. Initial access vectors include compromised RDP, phishing attacks, stolen credentials, and vulnerability exploitation.

Alphv claimed responsibility for the ransomware attack targeting Copper Mountain Mining Corporation. The attack occurred in 2022. However, the company was named in January 2023. In April 2023, the Alphv group claimed responsibility for a ransomware attack targeting Dalumi Group, a leading organization in the diamond and jewelry industry. In 2022, the group targeted Sumitomo Bakelite USA in a ransomware attack and listed the company on their data leak site.

Image

Figure 2: Adversary Risk Matrix score for Alphv Ransomware

Government

Government agencies and institutions are an attractive target for both APT and cybercriminal groups for multiple reasons. Government agencies are responsible for an incredibly large amount of sensitive data—from personal information on citizens to classified government operations information. Because government agencies are also more likely to have information that other countries can use to benefit their own operations, they are targets for politically motivated attacks. Government agencies and institutions offer many publicly available services to their citizens, and disruptions of those services can be detrimental to the economy and trust the public has in their government. Cyberattacks, both state-sponsored and cybercriminal, can have a significant, long-lasting impact on government agencies and institutions.

The APT groups known to target the Government vertical include APT29 (aka Cozy Bear, Iron Hemlock, Cloaked Ursa), APT28 (aka Fighting Ursa, Fancy Bear, Strontium), APT36 (aka Transparent Tribe, Earth Karkaddon, Mythic Leopard), APT32 (aka OceanLotus, Ocean Buffalo, Tin Woodlawn), APT34 (aka OilRig, Cobalt Gypsy, Helix Kitten), and Turla (aka Venomous Bear, WaterBug, Iron Hunter).

Turla

Turla (aka Waterbug, Uroboros, Snake, Venomous Bear) is an APT group that has been active since at least 2004. However, the group is attributed with an attack dating back to 1996. Since then, Turla has consistently evolved, using customized backdoor malware, malware droppers, and remote-access tools to achieve its objectives. Turla has been attributed to the Russian Federal Security Service (FSB). In 2019, Turla was attributed with infiltrating the computer network operations infrastructure of APT34. This resulted in the takeover of the takeover of the network.

In 2019, the group deployed Topinambour malware against government entities and used PowerShell scripts that provided direct, in-memory loading and execution of malware executables and libraries against government and diplomatic entities. In 2021, Turla was attributed with deploying a new backdoor on a server belonging to a Ministry of Foreign Affairs in Eastern Europe. The malware, dubbed NETVulture, was deployed, along with a modified version of China Chopper, TurlaChopper.

Image

Figure 3: Adversary Risk Matrix score for the Turla

Vice Society
Vice Society ransomware was first discovered in June 2021 and uses the double extortion method of stealing victim data and threatening to leak the data if the ransom is not paid. Vice Society has previously deployed third-party ransomware payloads, such as HelloKitty, Five Hands, RedAlert, and Zeppelin ransomware. However, in December 2022, it was reported that the Vice Society group had created their own custom variant, dubbed PolyVice.

Throughout 2022, Vice Society targeted multiple government institutions, including the Ministry of Agriculture Republic Indonesia, Suhl City in Germany, and the Establishment of the Agency for the Environmental Protection of the Marche Region.

Image

Figure 4: Adversary Risk Matrix score for Vice Society Ransomware

The Outlook
Both the Basic Materials and Government verticals are attractive targets for APT and cybercriminal groups due to the criticality of their operations and data to the economy, the public, and strategic political interests. Despite many defensive frameworks and policies that basic materials and government institutions have adopted to improve security, organizations in these verticals remain vulnerable to ransomware operations due to the high-value information, company revenues, and critical nature of these organizations. These factors contribute to the likelihood of ransom payments or negotiations.

State-backed and cybercriminal APT groups and campaigns usually involve data and systems destruction via wiper malware or exfiltration of sensitive information for espionage and data harvesting campaigns. Optiv’s Global Threat Intelligence Center (gTIC) assesses with high confidence that the motivation behind targeting these companies is for strategic economic and political gain by collecting sensitive information or outright disrupting or destroying Information Technology and Operational Technology (IT/OT) systems.

The gTIC assesses with high confidence that both cybercriminal and state-sponsored groups will continue to leverage known vulnerabilities in popular software and services that provide elevated privileges and access to sensitive data. Many of these tools and exploits have been in use for years and are usually available on open-source repositories and forums. The techniques will likely continue to rely on internal risks that may not have been known or remediated by the victim organization. Enabling Multi-Factor Authentication (MFA), enforcing a least-privilege user policy, and leaving ports and services (e.g., Remote Desktop Protocol [RDP], Server Message Block [SMB], Universal Plug and Play [UPnP]) exposed and insecure allow easy access from simple brute-force and credential guessing.

Optiv’s gTIC assesses with moderate confidence that state-sponsored adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months. Although the overall probability of a targeted state-sponsored attack across all verticals and organizations is unlikely, the Government vertical has a historical record of being targeted by state-sponsored APT groups.

Geopolitics is one of the main driving factors of APT activity. As countries continue to have conflict and search for ways to make economic advancements, APT activity will likely continue over the next 12 months. There has been a spike in APT activity since the beginning of the Russia/Ukraine war. We have observed APT groups employing what Optiv’s gTIC refers to as a “weakest-link” approach to reconnaissance and initial access in most campaigns. These include using opportunistic phishing campaigns with malicious Microsoft Office attachments or malicious links distributed to multiple organizations and potential victims, as well as the exploitation of older (2+ years) vulnerabilities in popular public-facing software and services like VPN clients, RDP, Microsoft Exchange, and Oracle WebLogic. It is likely that APT and ransomware groups will continue to target the Basic Materials and Government verticals over the next 12 months.

There’s More
Unfortunately, it is not exactly breaking news that APT and ransomware groups are targeting the Basic Materials and Government verticals. But if you’re interested in learning how this all ties together, how these groups overlap, and how protecting your organizations from one of these threats helps mitigate the threat from the others, check out our white paper vertical series: gTIC Vertical Series: Basic Materials and Government.