Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APT43. Show all posts

Analysing Advanced Persistent Threats 2023: Tactics, Targets, and Trends

 

The term "Advanced Persistent Threat" (APT) denotes a highly specialised category of cyber adversaries within the field of cybersecurity. These entities distinguish themselves through advanced skill sets and substantial access to resources, often employing sophisticated tools and techniques. APTs typically exhibit state sponsorship, indicating either direct or indirect government support or intricate ties to organized crime syndicates. 

This connection to state actors or criminal groups grants them a level of persistence and capability that far exceeds that of conventional cybercriminals. In 2023, the cybersecurity landscape has witnessed the persistent activity of several Advanced Persistent Threat (APT) groups, with attributions largely pointing to nation-states, notably Iran and China. These sophisticated entities operate at the forefront of cyber capabilities, employing advanced tactics, techniques, and procedures. Their activities extend beyond conventional cybercriminal motives, often involving strategic objectives tied to geopolitical influence, military espionage, or the compromise of critical infrastructure. As the year unfolds, the vigilance of cybersecurity experts remains crucial in monitoring and responding to the evolving tactics employed by these APT groups, reflecting the ongoing challenge of safeguarding against state-sponsored cyber threats.  

Here’s a summary of some of the most active and prominent APT Groups as of 2023:  

1) APT39  

APT39, believed to be associated with Iran, has emerged as a notable player in the cyber threat landscape in 2023. This advanced persistent threat group strategically directs its efforts towards the Middle East, with a specific focus on key sectors such as telecommunications, travel, and information technology firms. APT39 employs a sophisticated arsenal of cyber tools, including the use of SEAWEED and CACHEMONEY backdoors, along with spearphishing techniques for initial compromise. 

2) APT35 

APT35, believed to be affiliated with Iran, has solidified its position as a significant threat in 2023, honing its focus on military, diplomatic, and government personnel across the U.S., Western Europe, and the Middle East. Employing a sophisticated toolkit that includes malware such as ASPXSHELLSV and BROKEYOLK, the group employs a multifaceted approach, leveraging spearphishing and password spray attacks to infiltrate target networks. APT35's strategic interests span various sectors, encompassing U.S. and Middle Eastern military, diplomatic and government personnel, as well as organizations in the media, energy, defense industrial base (DIB), and the engineering, business services, and telecommunications sectors.  

3) APT41 

APT41, believed to be linked to China, continues to pose a significant cyber threat in 2023, targeting a diverse range of sectors including healthcare, telecommunications, high-tech, education, and news/media. Renowned for employing an extensive arsenal of malware and spear-phishing tactics with attachments, APT41 demonstrates a multifaceted approach, engaging in both state-sponsored espionage and financially motivated activities. Researchers have identified APT41 as a Chinese state-sponsored espionage group that has also ventured into financially motivated operations. Active since at least 2012, the group has been observed targeting industries such as healthcare, telecom, technology, and video games across 14 countries. APT41's activities overlap, at least partially, with other known threat groups, including BARIUM and Winnti Group, underscoring the complexity and interconnected nature of cyber threats associated with this sophisticated actor.  

4) APT40 

APT40, associated with China, maintains a strategic focus on countries crucial to China's Belt and Road Initiative, with a particular emphasis on the maritime, defense, aviation, and technology sectors. Notably active in 2023, APT40 employs a diverse range of techniques for initial compromise, showcasing their sophisticated capabilities. These methods include web server exploitation, phishing campaigns delivering both publicly available and custom backdoors, and strategic web compromises. APT40's modus operandi involves the utilization of compromised credentials to access connected systems and conduct reconnaissance. The group further employs Remote Desktop Protocol (RDP), Secure Shell (SSH), legitimate software within victim environments, an array of native Windows capabilities, publicly available tools, and custom scripts to facilitate internal reconnaissance. This comprehensive approach highlights APT40's adaptability and underscores the persistent and evolving nature of cyber threats in the geopolitical landscape. 

5) APT31 

Focused on government entities, international financial organizations, aerospace, and defense sectors, among others, APT31, also known as Zirconium or Judgment Panda, stands out as a formidable Advanced Persistent Threat group with a clear mission likely aligned with gathering intelligence on behalf of the Chinese government. Operating in 2023, APT31 exhibits a strategic approach, concentrating on exploiting vulnerabilities in applications like Java and Adobe Flash to achieve its objectives. Similar to other nation-state actors, the group's primary focus is on acquiring data relevant to the People's Republic of China (PRC) and its strategic and geopolitical ambitions. The group's activities underscore the ongoing challenge of safeguarding sensitive information against sophisticated state-sponsored cyber threats. 

6) APT30 

APT30, believed to be associated with China, distinguishes itself through its noteworthy focus on long-term operations and the infiltration of air-gapped networks, specifically targeting members of the Association of Southeast Asian Nations (ASEAN). Employing malware such as SHIPSHAPE and SPACESHIP, this threat actor utilizes spear-phishing techniques to target government and private sector agencies in the South China Sea region. Notably, APT30's objectives appear to lean towards data theft rather than financial gain, as they have not been observed targeting victims or data that can be readily monetized, such as credit card information or bank credentials. Instead, the group's tools demonstrate functionality tailored for identifying and stealing documents, with a particular interest in those stored on air-gapped networks. APT30 employs decoy documents on topics related to Southeast Asia, India, border areas, and broader security and diplomatic issues, indicating a strategic approach to lure in and compromise their intended targets in the geopolitical landscape. 

7) APT27 

APT27 believed to be operating from China, is a formidable threat actor specializing in global intellectual property theft across diverse industries. Employing sophisticated malware such as PANDORA and SOGU, the group frequently relies on spear-phishing techniques for initial compromise. APT27 demonstrates versatility in deploying a wide array of tools and tactics for its cyberespionage missions. Notably, between 2015 and 2017, the group executed watering hole attacks through the compromise of nearly 100 legitimate websites to infiltrate victims' networks. Targeting sectors including government, information technology, research, business services, high tech, energy, aerospace, travel, automotive, and electronics, APT27 operates across regions such as North America, South-East Asia, Western Asia, Eastern Asia, South America, and the Middle East. The group's motives encompass cyberespionage, data theft, and ransom, employing a diverse range of malware including Sogu, Ghost, ASPXSpy, ZxShell RAT, HyperBro, PlugX RAT, Windows Credential Editor, and FoundCore. 

8) APT26 

APT26, suspected to have origins in China, specializes in targeting the aerospace, defense, and energy sectors. Recognized for its strategic web compromises and deployment of custom backdoors, this threat actor's primary objective is intellectual property theft, with a specific focus on data and projects that provide a competitive edge to targeted organizations within their respective fields. The group's tactics involve the utilization of associated malware such as SOGU, HTRAN, POSTSIZE, TWOCHAINS, and BEACON. APT26 employs strategic web compromises as a common attack vector to gain access to target networks, complementing their approach with custom backdoors deployed once they penetrate a victim's environment.  

9) APT25 

APT25, also recognized as Uncool, Vixen Panda, Ke3chang, Sushi Roll, and Tor, is a cyber threat group with suspected ties to China. The group strategically targets the defense industrial base, media, financial services, and transportation sectors in both the U.S. and Europe. APT25's primary objective is data theft, and its operations are marked by the deployment of associated malware such as LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, and SABERTOOTH. Historically, the group has relied on spear-phishing techniques in its operations, incorporating malicious attachments and hyperlinks in deceptive messages. APT25 actors typically refrain from using zero-day exploits but may leverage them once they become public knowledge. The group's consistent focus on targeted sectors and methods underscores its persistence and intent to pilfer sensitive information from key industries in the U.S. and Europe. 

10) APT24 

APT24, also known as PittyTiger and suspected to have origins in China, conducts targeted operations across a diverse array of sectors, including government, healthcare, construction, mining, nonprofit, and telecommunications industries. The group has historically targeted organizations in countries such as the U.S. and Taiwan. APT24 is distinguished by its use of the RAR archive utility to encrypt and compress stolen data before exfiltration from the network. Notably, the stolen data primarily consists of politically significant documents, indicating the group's intention to monitor the positions of various nation-states on issues relevant to China's ongoing territorial or sovereignty disputes. Associated malware utilized by APT24 includes PITTYTIGER, ENFAL, and TAIDOOR. The group employs phishing emails with themes related to military, renewable energy, or business strategy as lures, and its cyber operations primarily focus on intellectual property theft, targeting data and projects that contribute to an organization's competitiveness within its field. 

11) APT23 

APT23, suspected to have ties to China, directs its cyber operations towards the media and government sectors in the U.S. and the Philippines, with a distinct focus on data theft of political and military significance. Unlike other threat groups, APT23's objectives lean towards traditional espionage rather than intellectual property theft. The stolen information suggests a strategic interest in political and military data, implying that APT23 may be involved in supporting more traditional espionage operations. The associated malware used by APT23 is identified as NONGMIN. The group employs spear-phishing messages, including education-related phishing lures, as attack vectors to compromise victim networks. While APT23 actors are not known for utilizing zero-day exploits, they have demonstrated the capability to leverage these exploits once they become public knowledge. 

12) APT22 

Also known as Barista and suspected to be linked to China, APT22 focuses its cyber operations on political, military, and economic entities in East Asia, Europe, and the U.S., with a primary objective of data theft and surveillance. Operating since at least early 2014, APT22 is believed to have a nexus to China and has targeted a diverse range of public and private sector entities, including dissidents. The group utilizes associated malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM. APT22 employs strategic web compromises as a key attack vector, allowing for the passive exploitation of targets of interest. Additionally, threat actors associated with APT22 identify vulnerable public-facing web servers on victim networks, uploading webshells to gain access to the victim's network. This comprehensive approach underscores APT22's persistent and multifaceted tactics in carrying out intrusions and surveillance activities on a global scale. 

13) APT43 

Linked to North Korea, APT43 has targeted South Korea, the U.S., Japan, and Europe across various sectors, including government, education/research/think tanks, business services, and manufacturing. Employing spear-phishing and fake websites, the group utilizes the LATEOP backdoor and other malicious tools to gather information. A distinctive aspect of APT43's operations involves stealing and laundering cryptocurrency to purchase operational infrastructure, aligning with North Korea's ideology of self-reliance, thereby reducing fiscal strain on the central government. APT43 employs sophisticated tactics, creating numerous convincing personas for social engineering, masquerading as key individuals in areas like diplomacy and defense. Additionally, the group leverages stolen personally identifiable information (PII) to create accounts and register domains, establishing cover identities for acquiring operational tooling and infrastructure. 

14) Storm-0978 (DEV-0978/RomCom) 

Storm-0978, also known as RomCom, is a Russian-based cybercriminal group identified by Microsoft. Specializing in ransomware, extortion-only operations, and credential-stealing attacks, this group operates, develops, and distributes the RomCom backdoor, and its latest campaign, detected in June 2023, exploited CVE-2023-36884 to deliver a backdoor with similarities to RomCom. Storm-0978's targeted operations have had a significant impact on government and military organizations primarily in Ukraine, with additional targets in Europe and North America linked to Ukrainian affairs. The group is recognized for its tactic of targeting organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Notably, ransomware attacks attributed to Storm-0978 have affected industries such as telecommunications and finance, highlighting the group's broad impact and the evolving nature of cyber threats in the geopolitical landscape. 

15) Camaro Dragon 

A Chinese state-sponsored hacking group named 'Camaro Dragon' has recently shifted its focus to infecting residential TP-Link routers with a custom malware called 'Horse Shell.' European foreign affairs organizations are the specific targets of this cyber campaign. The attackers utilize a malicious firmware exclusively designed for TP-Link routers, enabling them to launch attacks appearing to originate from residential networks rather than directly targeting sensitive networks. Check Point, the cybersecurity firm that uncovered this campaign, clarifies that homeowners with infected routers are unwitting contributors rather than specific targets. The infection is attributed to self-propagating malware spread via USB drives. Checkpoint identified updated versions of the malware toolset, including WispRider and HopperTick, with similar capabilities for spreading through USB drives. These tools are associated with other tools employed by the same threat actor, such as the Go-based backdoor TinyNote and a malicious router firmware implant named HorseShell. The shared infrastructure and operational objectives among these tools provide further evidence of Camaro Dragon's extensive and coordinated cyber activities. 

In conclusion, the cybersecurity landscape of 2023 has been defined by a substantial surge in Advanced Persistent Threat (APT) activities, reflecting a sophisticated and dynamic threat environment. This analysis has delved into the intricate and evolving nature of these threats, emphasizing the persistent and increasingly sophisticated endeavours of emerging and established APT groups. These actors, distinguished by high skill levels and substantial resources, often operate with state sponsorship or connections to organized crime, enabling them to execute complex and prolonged cyber campaigns. 

Throughout the year, APTs have prominently featured, executing meticulously planned operations focused on long-term infiltration and espionage. Their objectives extend beyond financial gain, encompassing geopolitical influence, military espionage, and critical infrastructure disruption, posing a significant threat to global stability and security. 

Key regions such as the Asia-Pacific (APAC), South America, Russia, and the Middle East have witnessed diverse APT activities, showcasing unique tactics and targeting various sectors. Notable incidents, including compromising secure USB drives, deploying remote access Trojans (RATs), and sophisticated spear-phishing campaigns, underscore the adaptability of APT groups. The emergence of new actors alongside well-established groups, utilizing platforms like Discord and exploiting zero-day vulnerabilities, highlights the need for enhanced cyber defenses and international cooperation. 

Incidents like the Sandworm attack and exploitation of Atlassian Confluence flaws exemplify the diverse and evolving nature of APT threats, emphasizing their technical prowess and strategic focus on critical sectors and infrastructure. In response, a comprehensive and adaptive approach involving robust security measures, intelligence sharing, and strategic collaboration is essential to effectively mitigate the multifaceted risks posed by these highly skilled adversaries in the ever-evolving cyber threat landscape.

APT43: Cyberespionage Group Targets Strategic Intelligence


APT43, also known as Kimsuky or Thallium, recently exposed by the Mandiant researchers, is a cyberespionage threat group supporting the objectives of the North Korean regime. By conducting credential harvesting attacks and successfully compromising its targets using social engineering, ATP43 concentrates on gathering strategic intelligence. 

Mandiant, which has been tracking APT43 since 2018, noted that the threat group supports the mission of the Reconnaissance General Bureau, North Korea's primary external intelligence agency. 

In terms of attribution indicators, APT43 shares infrastructure and tools with known North Korean operators and threat actors. Essentially, APT43 shares malware and tools with Lazarus. 

Targets of APT43 

Prior to 2021, the APT43 organization mostly targeted foreign policy and nuclear security challenges, but this changed in response to the global COVID-19 pandemic. 

APT43 primarily targets manufacturing products including fuel, machinery, metals, transportation vehicles, and weaponry whose sale to North Korea has been banned in South Korea, the U.S., Japan, and Europe. In addition to this, the group attacks business services, education, research and think tanks focusing on geopolitical and nuclear policy and government bodies. 

Spear Phishing and Social Engineering Techniques Used by APT 43 

Spear phishing is one of the primary methods used by APT43 to compromise its targets. The group frequently fabricates plausible personas, impersonating important figures. Ones they have succeeded in compromising one such individual, the threat group proceeds into using the person’s contact lists to aim further targets with spear phishing. 

In one such instance, exposed by Google, Archipelago (a subset of APT43) would send phishing emails where they portray themselves as a representative of a media outlet or think task asking the targeted victim for an interview. To view the questions, a link must be clicked, but doing so takes the victim to a phony Microsoft 365 or Google Drive login page. The victim is directed to a paper with questions after entering their credentials. 

According to the Google report, Archipelago tends to interact with the victim for several days in order to build trust before sending the malicious link or file. 

Another tactic used by Archipelago involves sending benign PDF files purportedly from a third party that alerts the recipient to fraudulent logins they should examine. 

Malware Families and Tools Used 

APT43 employs a variety of malware families and tools. Some of the public malware families used include Gh0st RAT, Quasar RAT, and Amadey. However, the threat group mostly uses a non-public malware called LATEOP or BabyShark, apparently developed by the group itself. 

How can you Protect Yourself from the APT43 Security Threat? 

Here, we have listed some measures that could ensure protection against  malicious APT43 attacks: 

  • Educate users about the social engineering techniques used by APT43 and Archipelago.  
  • Train users to detect phishing attempts and report them immediately to their security staff. 
  • Use security solutions to detect phishing emails or malware infection attempts. 
  • Keep operating systems and software up to date and patched. 

Moreover, professionals in the field of geopolitics and international politics are advised to be trained in detecting any approach from attackers or potential threat actors, posing as a journalist or a reporter. Careful identification and examination of such individuals approaching important figures must be taken into priority, prior to any exchange of information or intelligence.