Advanced Persistent Threat (APT) Groups: Boogeyman or Well-Funded Cybercriminal?

October 17, 2022

Advanced Persistent Threat (APT) Groups: Boogeyman or Well-Funded Cybercriminal?

 

Advanced persistent threat (APT) describes a non-opportunistic group that breaches organizations in a strategic, long-term manner with clear objectives. APT was coined in the early 2000s, and 22 years later, there are daily reports about new activity, monthly reports that cover activities and specific groups, and yearly reports that discuss trends.

 

While cybercrime is continuously increasing, it’s not nearly as threatening or ominous as when a report comes out about new APT activity. These cyberattacks are considered to be of the highest sophistication, using new tools that have never been reported, as well as elaborate techniques above and beyond the abilities of every other cybercriminal or group out there. But APT groups may not all be as scary and sophisticated as we believe. In this blog, we’ll dive into the tactics and techniques of APT groups and common tools observed during campaigns.

 

 

What are the Latest APT Examples?

In January 2022, Kimsuky, a Korean-speaking APT group, targeted a media company and think-tank in South Korea. The group gained Initial Access using a spear phishing email containing a macro-embedded Microsoft Word document. The attack resulted in an information stealing malware variant deployed on the victim network.

 

Starting in January 2022, Transparent Tribe, an APT group attributed to Pakistan, was observed targeting government workers in India for espionage activity. The threat actors lured victims to visit a fake website designed to appear as official repositories for Kavach, a secure authentication solution used by the Indian government. The victims were tricked into downloading and executing fake installers that downloaded a Trojan, dubbed Area51. Area51 could be used to deploy additional payloads, such as MumbaiRAT, CrimsonRAT and PeppyRAT.1

 

In May 2022, Microsoft disclosed the Follina vulnerability (CVE-2022-30190), a remote code execution vulnerability in the Microsoft Support Diagnostic Tool (MSDT). In June 2022, Russia-attributed threat groups – Sandworm and APT28 – were observed targeting the vulnerability to gain Initial Access to media organizations in Ukraine.2

 

In July 2022, Turla, an APT group attributed to Russia’s Federal Security Service (FSB), was observed hosting Android apps on a domain spoofing the Ukrainian Azov Regiment. The apps were hosted on a domain controlled by the attacker and distributed via links on third-party messaging services. In this case, the installs were miniscule.

 

In August 2022, the North Korean threat group, Lazarus, was observed targeting Macs with Apple’s M1 chip. The group has been observed sending phishing emails with fake job opportunities. The emails contained a Mac executable camouflaged as a job description for an engineering manager position at the cryptocurrency exchange provider, Coinbase. The campaign by Lazarus has been ongoing for nearly three years.3

 

In November 2021, the FBI and CISA released an alert warning that Iranian government-sponsored APT actors were actively targeting a broad range of victims across multiple U.S. critical infrastructure verticals, including the transportation and health care industries. The APT groups were observed targeting multiple vulnerabilities in Fortinet products and Microsoft Exchange.4

 

  • In March 2021, an Iranian APT group were observed scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379 (CVSS score 9.8), and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591 (CVSS scores 9.8 and 6.5, respectively).
  • In October 2021, the Iranian-based APT group, Phosphorus (aka APT35, Charming Kitten, Newscaster, TA453, Magic Hound) leveraged a Microsoft Exchange ProxyShell vulnerability, CVE-2021-34473 (CVSS score 9.8) to gain access to systems to drop web shells that, eventually, led to the deployment of BitLocker ransomware.5

 

 

What do APT groups do?

Advanced cyber threat actors are observed to employ what we refer to as a “weakest-link” approach to Reconnaissance and Initial Access in most campaigns. These include opportunistic phishing campaigns with malicious Microsoft Office attachments or malicious links distributed to multiple organizations and potential victims, or the exploitation of older (2+ years) vulnerabilities in popular public-facing software and services like VPN clients, RDP, Microsoft Exchange and Oracle WebLogic.

 

APT groups are often the focus of security research and make headlines as highly sophisticated and complex; however, most of these attacks share tools and techniques which frequently overlap with techniques observed in common cybercriminal activity. We acknowledge there are exceptions amongst notable groups that modify or create bespoke post-exploitation malware, but it’s important to note that in most instances they achieve Initial Access, Persistence, Discovery, Credential Access and Lateral Movement via commonly observed tools and techniques.

 

Therefore, we performed manual research of process and behaviors observed and reported for 26 different APT groups from Iran, China, North Korea, Russia, Vietnam and Pakistan during an active campaign (see Table 1).

 

MITRE ATT&CK Technique Behavior Category Command/Process/Tool
T1566 – Phishing (Initial Access)
T1204 – User Execution (Execution)
T1589 – Gather Victim Identity Information (Reconnaissance)
T1598 – Phishing for Information (Reconnaissance)
Phishing emails with malicious attachments and links requiring users to enable macros or interact. Google Docs
Microsoft Office Documents
ISO Files
Embedded Links
T1583 – Acquire Information (Resource Development)
T1585 – Establish Accounts (Resource Development)
T1588 – Obtain Capabilities (Resource Development)
Attackers acquire accounts and tools to help conduct the attacks. Purchase servers
Dropbox
Google Drive
GitHub
Facebook/Twitter/LinkedIn
Mimikatz
Cobalt Strike
T1190 – Exploit Public-Facing Application (Initial Access)
T1133 – External Remote Services (Initial Access)
Attackers often exploit known vulnerabilities in external remote services and public-facing applications to gain access. Microsoft Exchange
Cisco
Fortigate VPN
Citrix
PulseSecure
Outlook Web Access
RDP
T1053 – Scheduled Task/Job (Execution)
T1112 – Modify Registry (Defense Evasion)
T1543 – Create or Modify System Process (Persistence)
T1055 – Privilege Injection (Privilege Escalation)
Utilize processes and scheduled tasks to repeatedly execute malicious payloads. StorSyncSvc
Nwsapagent
svchost.exe
Win7Elevate
Rundll32.exe
Windows task scheduler
schtasks
HKEY_CURRENT_USER\Software\Classes\
HKLM\SYSTEM\CurrentControlSet\services
T1547 – Boot or Logon Autostart Execution (Persistence)
T1543 – Create or Modify System Processes (Persistence)
T1546 – Event Trigger Execution (Persistence)
T1505 – Server Software Component (Persistence)
Attackers can gain persistence by using system mechanisms, creating processes, servers and boot/logon to execute events and malware deployments. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost WMI C:\Windows\System32\sethc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"="pserver32.dll"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1
T1078 – Valid Accounts (Initial Access)
T1110 – Brute Force (Credential Access)
T1003 – OS Credential Dumping (Credential Access)
T1552 – Unsecured Credentials (Credential Access)
T1555 – Credentials from Password Stores (Credential Access)
Obtain credentials that allow attackers to use valid accounts to conduct malicious activities. Mimikatz
PsExec
Wmic
Ncrack
CrackMapExec
GetPassword_x64
ProcDump
ntdsutil.exe
Gpppassword
T1562 – Impair Defenses (Defense Evasion) Stop/disable Windows and AV services cmd.exe /c sc.exe stop*/y
cmd.exe taskkill /im *
net.exe stop * /y
net stop security center
net stop WinDefend
T1564 – Hide Artifacts (Defense Evasion)
T1036 – Masquerading (Defense Evasion)
T1070 – Indicator Removal on Host (Defense Evasion)
Hide or manipulate features of artifacts to appear legitimate; delete or modify artifacts to remove evident of their presence. HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v -WindowStyle Hidden
esentutl
mshta.exe
wscript.exe
\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager
Remove-MailboxExportRequest
KernelCallbackTable
wevtutil cl System
wevtutil cl Security
T1087 – Account Discovery (Discovery)
T1083 – File and Directory Discovery (Discovery)
T1082 – System Information Discovery (Discovery)
T1018 – Remote system Discovery (Discovery)
T1057 – Process Discovery (Discovery)
T1016 – System Network Configuration Discovery (Discovery)
T1033 – System Owner/User Discovery (Discovery)
T1046 – Network Service Discovery (Discovery)
T1049 – System Network Connections Discovery (Discovery)
Network/Directory/User Reconnaissance & Enumeration Get-ManagementRoleAssignment
net user
net localgroup administrators
net.exe users
ipconfig /all >> %temp%\download
NBTscan
AdFind
Net View
Ping
PlugX
"cmd.exe" /C whoami
Systeminfo
file /bin/pwd
tasklist /v
T1005 – Data from Local System (Collection)
T1074 – Data Staged (Collection)
T1056 – Input Capture (Collection)
Attackers collect, stage and capture data from the system and user inputs. Forfiles
Cobalt Strike
njRAT
C:\Program Files\Common Files\System\Ole DB\
%TEMP%
KEYLIME
GEARSHIFT
Cobalt Strike
MECHANICAL
SetWindowsHookE
T1041 – Exfiltration Over C2 Channel (Exfiltration)
T1567 – Exfiltration Over Web Service (Exfiltration)
Attacker use known public services to stage and exfiltrate data to their servers. Google Drive
GitHub
OneDrive
DropBox
HTTP
HTTP POSTS

 

Along with similar techniques, many APT groups are using the same methods to gain access to organizations’ networks. Software vulnerabilities, phishing attacks, Initial Access Brokers, unsecured RDP servers and supply chain attacks remain the most common Initial Access vectors. Unsurprisingly, these Initial Access vectors do not differ from cybercriminal activity observed in ransomware and other malware attacks.

 

 

Custom Malware and Tools

APT groups are known for their use of custom malware, such as APT33’s (aka: Holmium, Elfin) DROPSHOT and APT3’s (aka: Gothic Panda, Buckeye, Pirpi) COOKIECUTTER. Unlike most cybercriminal groups, APT groups are trained, well financed and typically have a long-term goal that’s obtained by using customized tools to remain undetected. However, during our research, we found that most of the groups use the same tools and processes that cybercriminal groups use during attacks to obtain credentials, elevate privileges and move laterally through the network. Many of the common tools observed are listed here:

 

  • Mimikatz
  • LaZagne
  • Empire
  • Cobalt Strike
  • AdFind
  • Ipconfig
  • Netstat
  • Ping
  • RDP
  • SMB
  • PsExec
  • Pwdump
  • Net
  • Dropbox
  • GitHub
  • BITSAdmin
  • Metasploit
  • CrackMapExec
  • ProcDump
  • Windows Credential Editor

 

 

Looking Forward

We assess with High Confidence that APT groups will remain a relevant threat to organizations in critical verticals, such as industrials, government, education, and health care over the next 12 months. Regions Likely to be targeted by APT groups include the United States, Hong Kong, China (notably the Xinjiang region), Japan, South Korea, Vietnam, Cambodia, Brazil, the Middle East and North Africa (MENA) region, India, East Africa, Afghanistan, Ukraine, Germany, the Netherlands and Belgium. These cyber-espionage campaigns will Likely originate from neighboring countries and domestically be repressive governments with an active history of APT espionage and disruptive activity. Additionally, we assess with Moderate Confidence that APT adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months.

 

Geopolitics is one of the main driving factors of APT activity, and as countries continue to have conflict and search for ways to make economic advancements, APT activity will Likely continue over the next 12 months. There has been a spike in APT activity since the beginning of the Russia/Ukraine war. It is Likely that as the war continues, the APT activity targeting Russia, Ukraine and Ukraine-supporting countries will continue over the next 12 months. It is Likely that Western countries will remain an attractive target for espionage attacks by APT groups for valuable information related to industrial services, government, energy, health care, education and utilities verticals over the next 12 months.

 

 

Advanced Persistent Threat Prevention

As with many other cyberattacks, an organization’s planning should occur before an attack takes place. Following an attack, organizations should refer to their respective incident response and business continuity plans. Optiv’s gTIC makes the following recommendations on mitigation:

 

  • Assume that your organization is going to be targeted.
  • Prioritize patching based on a few considerations, which include:

    • the impact the vulnerability has on the organization’s data
    • the types and number of systems affected
    • the access level required to exploit the vulnerability
    • how widely known the vulnerability is in the community

  • Threat actors have previously been observed targeting vulnerabilities within 24 hours of disclosure.


  • Ensure RDP servers and ports are disabled if not in use or kept behind an RDP gateway.
  • Maintain strong and unique passwords that are not reused across multiple accounts or after being reset. SMB, WMI and Windows Remote Management/PowerShell Remoting should have all inbound traffic blocked; however, if that is not possible, they should be configured with specific IP address exceptions and protected behind a firewall.
  • Enable MFA for access to OWA and other login portals, virtual private networks (VPN) clients and servers and critical systems with sensitive data.
  • Implement an incident response plan that includes processes for conducting incident response, notifying the appropriate team members and contacting law enforcement if necessary.
  • Implement a damage recovery and business continuity plan (DR/BC) to ensure smooth restoration of operations.
  • Enable least-privilege policies and blacklists or whitelists for tools, software and applications. These prevent employees and adversaries from downloading and installing unauthorized software and deter adversaries from running administrator-level processes and commands on infected devices.
  • Ensure that data is backed up and multiple iterations of the backups are saved and segregated. There are many methods to complete this – such as the 3-2-1 or 3-2-2 method. Additionally, organizations should ensure offline backups are maintained, updated regularly and tested to confirm they can be used in the event of a cyberattack.
  • Create a robust security awareness program that trains employees on signs of phishing emails and how and when to report suspicious emails to an incident response authority.

 

 

References:

 

Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.