A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals. 

Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.

An APT comprises of mainly three main reasons: 

1. Network infiltration 
2. The expansion of the attacker’s presence 
3. The extraction of amassed data (or, in some instances, the launch of sabotage within the system)

Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.

Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly. 

APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators. 

Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings. 

Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence. 

List of key threats

New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds). 

Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’: 

• The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities. 

• Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs. 

• More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds. 

• Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation. 

• Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable. 

APT Identification and Management Practices: 

Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets. 

Following are 5 recommendations for avoiding and identifying APT intrusion: 

1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.” 

2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns. 

3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline. 

4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection. 

5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.  

The threat actor reportedly targeted computer systems in the past Memorial Day. The hack may impact patient information, particularly the data the fire district transported between the years 2007 and 2019, says South Walton Fire District officials. 

While the officials confirmed that no information so far has been leaked, a thorough investigation of the incident is ongoing. The district officials as well are taking additional precautionary measures in order to secure the leaked information of the patients. 

Details of The Ransomware Attack 

On Memorial Day, SWFD discovered that someone had encrypted their dispatch system's data, acquired temporary access, and left a ransom note. 

“In essence, what somebody had done was get access to the system, encrypted the data, and left a ransom note for us to, basically, pay that ransom in order to get that data back […] Fortunately, internally we have a pretty robust mechanism in place to do backups. So we never had to engage that threat actor to gain that data back. We were able to re-install that data and be back up and running in about a day and a half,” says South Walton Fire District Fire Chief Ryan Crawford. 

Chief Crawford mentions that immediate measures were put into action after the district learned about the attack, by calling in federal, state, and local law enforcement. He says that they are continuously working on newer methods and technologies against threat actors in order to secure data. 

“We have already taken a number of additional layers of protection to try and mitigate the issue and prevent further instances like this from occurring,” says Crawford. 

Describing one of the cautionary measures, Crawford says, “One of the easiest ways is to take those archived medical records completely offline […] And so now, you know, those are really accessible to us for when people do public records requests and those sorts of things, it now requires us to go into the room where that server is located to pull that information rather than doing that remote.”

In addition to this, SWFD has also established a toll-free call center to solve queries regarding the incident and address related concerns. The call center agents can be reached at 1-800-939-4170 from 8 a.m. to 8 p.m. Central Time, Monday through Friday.  

Z

According to Trend Micro’s report, the primary targets of the phishing attacks, between May and October 2022 included entities of countries of the Asia Pacific region like Myanmar, Australia, The Philippines, Japan, and Taiwan. 

Mustang Panda, also known as Bronze President, Earth Preta, HoneyMyte, or Red Lich, is an espionage threat actor based in China. The group is said to be active since July 2018 and is known for utilizing malware like China Chopper and PlugX in order to obtain data illegally. 

Attributes of the Phishing Attack 

The attacks involve spear-phishing emails and messages distributed via Google accounts. The fraudulent emails enticed target users, deceiving them into downloading malicious custom malware through the Google drive links. 

During the investigation, researchers found that Mustang Panda used messages consisting of geopolitical subjects, with around 84% of the attacks being targeted at governmental/ legal organizations. 

The attached link apparently directed the target users to a Google Drive or Dropbox folder, in order to evade suspicion. Furthermore, the link directed users to download RAR, ZIP, and JAR compressed files that may include malware variants like ToneShell, Tonelns, and Pubload. 

"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," says researchers Nick Dai, Vickie Su, and Sunny Lu. 

Although the hackers utilized a variety of malware-loading methods, the process mainly required DLL side-loading once the target ran the executable contained in the archives. 

“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” explained Trend Micro researchers.  "Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved."    

The parent company of brands like Cadbury, Oreo, Ritz, and Triscuit, ‘Mondelez’ was in fact impacted by NotPetya, where the manufacturing factories and production were interrupted, taking days for the companies’ staff to regain control of their computer systems. The business filed a claim for $100 million in losses to Zurich American, its property and liability insurer. Zurich, after initially agreeing to pay a portion of the claim — $10 million, later withheld payment, claiming the attack was an act of war and hence not covered by the policy. Mondelez later initiated legal action. 

Later, Mondelez and Zurich America allegedly agreed on the original claim of $100 million, but it was not until Merck's $1.4 billion lawsuit against Ace American Insurance Company for its NotPetya-related damages had been successful in January 2022. The claims made by Merck did not pertain to a cyber insurance policy, but rather to its property and casualty policy. 

Back in the year 2017, while cyber insurance policy was still a budding idea, several company giants filed claims for the exploit pertaining to NotPetya – the one due to which an exploit of an estimated $10 billion happened worldwide – against company assets and casualty policies. 

What Has Changed? 

Before the course of the COVID-19 pandemic, until 2020, these cyber insurance policies were being sold in a similar manner as that of a typical home or auto policy, where the company was the least concerned about their cybersecurity profile, or the tools they would use in order to secure and defend its network or data, or its general cyber hygiene. 

But since numerous ransomware attacks hit the organizations that were built off of lax cybersecurity, insurance carriers eventually started altering their requirements, prioritizing their requirements to acquire such policies, says Alla Valente, senior analyst at Forrester Research. 

Currently, the business model for cyber insurance is substantially distinctive from other policies, marking the cyber insurance policies of 2017 as obsolete. 

What is an “Act of War”? 

Every sort of insurance policy, including cyber insurance policies, has a "War Exclusion." A war exclusion clause generally says that no damages resulting from hostile or warlike activities by a state or its agents are covered. Usually, this exclusion is applicable to a “hot war,” like the one we have witnessed in Ukraine in recent times. Although, courts are beginning to consider cyberattacks as potential acts of war, without the declaration of war or any land troop, aircraft, or any material battlefield. The state-sponsored attacks themselves constitute a war footing, as noted by the carriers. 

The terms of cyber policies from Lloyd's of London will now change in April 2023, excluding liability losses brought on by state-sponsored cyberattacks. As stated by Tony Chaudhry, Lloyd’s underwriting director, in a Market Bulletin published in August 2022, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber-related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage." 

In regards to this, Forrester's Valente notes that businesses may have to keep their large cash deposits aside if they ever face a state-sponsored attack. Only if the insurance carriers are successful in claiming in court that a state-sponsored attack is, by definition, an act of war, no business will then have coverage unless they specifically negotiate that into the contract to eliminate the exclusion. 

Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg says that, when purchasing cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms,"

"Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms," he adds.  

Broadly speaking, an act of cyberwar is any state-backed malicious online activity that targets foreign networks. However, as with most geopolitical phenomena, real-world examples of cyber warfare are far more complex. In the world of state-sponsored cybercrime, it is not just the government intelligence agencies that are directly carrying out attacks, but these days one can witness attacks from organized cybercriminal organizations that have ties to a nation-state. 

These organizations are known as advanced persistent threat (APT) groups. The infamous APT-28, also known as Fancy Bear, which hacked the Democratic National Committee in the year 2016 is an excellent example of this type of espionage operation. In a way, this serves as the ideal cover for malicious state actors who want to attack and disrupt vital infrastructure while lowering the potential for generating a geopolitical crisis or military conflict. 

If the Enemy Is in Range, So Are You 

Whether a cyberattack is directly linked to a foreign government agency, attacks on critical infrastructure can have devastating repercussions. Critical infrastructure does not just refer to state-owned and operated infrastructures such as power grids and government organizations - banks, large corporations, and Internet service providers all fall under the umbrella of critical infrastructure targets. 

As governments and private organizations continue to adopt advanced and connected IT networks, the risks and potential consequences will only increase. Recent research by the University of Michigan found security vulnerabilities in local traffic light systems. Although the flaw has subsequently been patched, this emphasizes the significance of robust, up-to-date inbuilt security systems to protect infrastructure against cyberattacks. 

Defend Now or Be Conquered Later 

With the rise in advancement and complexity in networks, the chance that vulnerabilities can be exploited as well increases exponentially. Every single endpoint on the network must be constantly monitored and secured if organizations are to have any chance of surviving a sophisticated state-backed attack. 

Some organizations are seen learning this lesson the hard way. For instance, in 2017, US food giant Mondelez was denied a $100 million insurance payout after suffering a Russian ATP cyberattack, since the attack was assumed to be “an act of war” and was not included in the firm’s cybersecurity policy. The conglomerate and Zurich Insurance recently rectified this issue on undisclosed terms.

Endpoint security has never been more critical than it is today. The use of personal mobile devices as a work tool has become pervasive across almost every single industry. This rise in the bring-your-own-devices policy has in part been driven by the false assumption that mobile devices are inherently more secure than desktops. 

However, for over 10 years, various governments and ATP groups with potential cyber capabilities have adapted to and exploited the mobile threat landscape with extremely low detection rates. Attacks on the state and public mobile networks can take down large parts of the workforce, impacting productivity and disrupting everything from the government’s decision-making to the state’s economy. 

IT and security managing experts may not be the ones preventing the inevitable cyberattacks or cyber war, but they can defend themselves against major setbacks. If a device is connected to the infrastructure, physically or virtually, it has become a potential back door for cybercriminals to access the data and disrupt operations. Thus, if organizations want to avoid being victims of potential cyberwarfare, endpoint security should be a priority in conducting operations, from mobiles to desktops.

North Korean Hackers Strike Again

Earlier this week, North Korea tried to get access to the systems of an Israeli company that does business in the field of cryptocurrency and extracts the money that Pyongyang planned to use for its nuclear program. 

The hacking attack was done by North Koreans disguising themselves as the company's Japanese supplier. The hacking attempt was immediately caught by cybersecurity personnel from the "Konfidas" agency, which was able to stop the hack. 

Malicious files used to get control over systems

Authorities say the attempt was sophisticated and professional, unique tools were used- something that caught the eye of concerned authorities in Israel. 

The attacks do not happen overnight. There is a pattern behind the operation of most attacks, in the first step, the hacker does a conversation with the person on the other end, and gains your trust. After that, the hacker sends a malicious file containing the virus which is aimed to infiltrate the computer. 

Once the file reaches the computer, it will start spreading out on the network and access financial assets or data that the hacker wants, and in the end, can do whatever he wishes. 

Ransom motive behind the attack

Ransom demands generally happen in financial attacks, threat actors behind them are cyber criminals who intend to steal data and ask for ransom in exchange for not leaking the data and releasing the systems. 

In this particular incident, the North Korean mode of operation is a pattern in which the actors simply spy, steal money, and vanish. There is no user interaction except that he has to open the malicious files which allow the hacker to take control of the systems. 

North Korean hacking patterns

North Korean hackers are believed to be behind the theft of around $100 million in cryptocurrency from a US company earlier this year in June, as the country is trying to manage funding for its nuclear and ballistic missile programs. 

The assets were stolen from "Horizon Bridge," a Harmony blockchain service that lets assets to be sent to other blockchains. Following the theft, the activities by threat actors suggest that they may be linked to North Korea. Experts believe these actors to be highly skilled in the field of cyber penetration attacks.