Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
October 17, 2022
Advanced persistent threat (APT) describes a non-opportunistic group that breaches organizations in a strategic, long-term manner with clear objectives. APT was coined in the early 2000s, and 22 years later, there are daily reports about new activity, monthly reports that cover activities and specific groups, and yearly reports that discuss trends.
While cybercrime is continuously increasing, it’s not nearly as threatening or ominous as when a report comes out about new APT activity. These cyberattacks are considered to be of the highest sophistication, using new tools that have never been reported, as well as elaborate techniques above and beyond the abilities of every other cybercriminal or group out there. But APT groups may not all be as scary and sophisticated as we believe. In this blog, we’ll dive into the tactics and techniques of APT groups and common tools observed during campaigns.
In January 2022, Kimsuky, a Korean-speaking APT group, targeted a media company and think-tank in South Korea. The group gained Initial Access using a spear phishing email containing a macro-embedded Microsoft Word document. The attack resulted in an information stealing malware variant deployed on the victim network.
Starting in January 2022, Transparent Tribe, an APT group attributed to Pakistan, was observed targeting government workers in India for espionage activity. The threat actors lured victims to visit a fake website designed to appear as official repositories for Kavach, a secure authentication solution used by the Indian government. The victims were tricked into downloading and executing fake installers that downloaded a Trojan, dubbed Area51. Area51 could be used to deploy additional payloads, such as MumbaiRAT, CrimsonRAT and PeppyRAT.1
In May 2022, Microsoft disclosed the Follina vulnerability (CVE-2022-30190), a remote code execution vulnerability in the Microsoft Support Diagnostic Tool (MSDT). In June 2022, Russia-attributed threat groups – Sandworm and APT28 – were observed targeting the vulnerability to gain Initial Access to media organizations in Ukraine.2
In July 2022, Turla, an APT group attributed to Russia’s Federal Security Service (FSB), was observed hosting Android apps on a domain spoofing the Ukrainian Azov Regiment. The apps were hosted on a domain controlled by the attacker and distributed via links on third-party messaging services. In this case, the installs were miniscule.
In August 2022, the North Korean threat group, Lazarus, was observed targeting Macs with Apple’s M1 chip. The group has been observed sending phishing emails with fake job opportunities. The emails contained a Mac executable camouflaged as a job description for an engineering manager position at the cryptocurrency exchange provider, Coinbase. The campaign by Lazarus has been ongoing for nearly three years.3
In November 2021, the FBI and CISA released an alert warning that Iranian government-sponsored APT actors were actively targeting a broad range of victims across multiple U.S. critical infrastructure verticals, including the transportation and health care industries. The APT groups were observed targeting multiple vulnerabilities in Fortinet products and Microsoft Exchange.4
Advanced cyber threat actors are observed to employ what we refer to as a “weakest-link” approach to Reconnaissance and Initial Access in most campaigns. These include opportunistic phishing campaigns with malicious Microsoft Office attachments or malicious links distributed to multiple organizations and potential victims, or the exploitation of older (2+ years) vulnerabilities in popular public-facing software and services like VPN clients, RDP, Microsoft Exchange and Oracle WebLogic.
APT groups are often the focus of security research and make headlines as highly sophisticated and complex; however, most of these attacks share tools and techniques which frequently overlap with techniques observed in common cybercriminal activity. We acknowledge there are exceptions amongst notable groups that modify or create bespoke post-exploitation malware, but it’s important to note that in most instances they achieve Initial Access, Persistence, Discovery, Credential Access and Lateral Movement via commonly observed tools and techniques.
Therefore, we performed manual research of process and behaviors observed and reported for 26 different APT groups from Iran, China, North Korea, Russia, Vietnam and Pakistan during an active campaign (see Table 1).
Along with similar techniques, many APT groups are using the same methods to gain access to organizations’ networks. Software vulnerabilities, phishing attacks, Initial Access Brokers, unsecured RDP servers and supply chain attacks remain the most common Initial Access vectors. Unsurprisingly, these Initial Access vectors do not differ from cybercriminal activity observed in ransomware and other malware attacks.
APT groups are known for their use of custom malware, such as APT33’s (aka: Holmium, Elfin) DROPSHOT and APT3’s (aka: Gothic Panda, Buckeye, Pirpi) COOKIECUTTER. Unlike most cybercriminal groups, APT groups are trained, well financed and typically have a long-term goal that’s obtained by using customized tools to remain undetected. However, during our research, we found that most of the groups use the same tools and processes that cybercriminal groups use during attacks to obtain credentials, elevate privileges and move laterally through the network. Many of the common tools observed are listed here:
We assess with High Confidence that APT groups will remain a relevant threat to organizations in critical verticals, such as industrials, government, education, and health care over the next 12 months. Regions Likely to be targeted by APT groups include the United States, Hong Kong, China (notably the Xinjiang region), Japan, South Korea, Vietnam, Cambodia, Brazil, the Middle East and North Africa (MENA) region, India, East Africa, Afghanistan, Ukraine, Germany, the Netherlands and Belgium. These cyber-espionage campaigns will Likely originate from neighboring countries and domestically be repressive governments with an active history of APT espionage and disruptive activity. Additionally, we assess with Moderate Confidence that APT adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months.
Geopolitics is one of the main driving factors of APT activity, and as countries continue to have conflict and search for ways to make economic advancements, APT activity will Likely continue over the next 12 months. There has been a spike in APT activity since the beginning of the Russia/Ukraine war. It is Likely that as the war continues, the APT activity targeting Russia, Ukraine and Ukraine-supporting countries will continue over the next 12 months. It is Likely that Western countries will remain an attractive target for espionage attacks by APT groups for valuable information related to industrial services, government, energy, health care, education and utilities verticals over the next 12 months.
As with many other cyberattacks, an organization’s planning should occur before an attack takes place. Following an attack, organizations should refer to their respective incident response and business continuity plans. Optiv’s gTIC makes the following recommendations on mitigation:
Threat actors have previously been observed targeting vulnerabilities within 24 hours of disclosure.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
September 07, 2022
The state of ransomware 2022. First half review on the Optiv blog. Major threat actors, high-profile victims and predictions of what might lie ahead.
December 20, 2022
Optiv's December Russia-Ukraine cyber warfare update explores the expansion and evolution of cyberattacks as threat actors begin taking sides. Stay....
September 06, 2022
Insider threats are hard to detect since the focus tends to be outward. Discover the main actors along with detection and prevention policies on the....
Let us know what you need, and we will have an Optiv professional contact you shortly.