One of the ongoing threats that defenders have to deal with is APTs: advanced persistent threats. APT attackers use more complex tactics to compromise networks than a typical attacker might, such as the deployment of a Trojan or other straightforward software. For instance, an APT attacker may employ complex espionage techniques over an extended period of time and involve numerous individuals inside an organization to achieve their ultimate objective.
Although a company of any size could become a target, high-profile APT attacks have generally targeted notable companies, critical infrastructure or governments. However, we’re seeing these types of attacks being used beyond these specific types of targets, and it’s alarming that traditional cybercrime organizations are now using them, too. And what we’re increasingly seeing is that not only are these threats evolving, but bad actors are learning from these techniques and applying them to other types of attack methods.
The evolution of APTs
Wiper malware is a good illustration of how APT-style activities and common cybercrime are converging. Wipers are a tool that we frequently see nation-state actors using, whereas non-APT criminal groups typically disseminate malware like ransomware.
We saw this expand significantly last year. We observed a revival of wiper malware in the first half of last year, and this devastating attack strategy only expanded its beachhead in the second half. Our FortiGuard Labs researchers saw that the spread of wiper malware into new nations caused a 53% increase in wiper activity between the third and fourth quarters of 2022.
Even though wiper malware was initially developed and spread by nation-state APT actors, especially in tandem with the Russia-Ukraine war, we are now witnessing its scaling and global deployment. Cybercriminal organizations are increasingly using these novel strains in their expanding Cybercrime-as-a-Service (CaaS) network. The threat posed by wiper malware is now more pervasive than ever, and all companies, are possible targets. Additionally, cybercriminals are currently creating their own wiper software, which is being used effortlessly throughout CaaS organizations.
It’s not just wipers that are taking a page from APTs
As well as the converging threats that attackers use to accomplish their new, more destructive objectives, broad cybercrime attack playbooks are also becoming more targeted. This is a change within conventional cybercrime, as typically it’s APT groups that are known for their focused playbooks.
Our security research team has recently noticed two important developments in this space. The first is SideCopy’s stealthy work. The SideCopy APT organization is well-known for using comparable TTPs (Tactics, Techniques and Procedures) and sometimes the same infrastructures as another group from Pakistan called “Transparent Tribe.” SideCopy has been known to be a branch of Transparent Tribe. The gang was purportedly given the name “SideCopy” because they used an infection chain that was lifted from the well-known Indian threat actor group SideWinder in an effort to elude detection. Though SideCopy mostly targets Windows systems, there are claim that they have infected Mac and Linux computers with malware.
The second is Donot APT, also called SectorE02 and APT-C-35. Since at least 2016, this threat actor has targeted businesses and people in Sri Lanka, Bangladesh, Nepal and Pakistan. To find its victims, Donot uses spear-phishing emails armed with malicious documents.
We have seen that the gang continues to target its victims with malicious documents. In the beginning of 2023, we saw this actor using maldocs. The majority of the maldocs we found date back to about 2021, but all of them were tied to domains registered within the last 30 days. This shows that the threat actor used previously created maldocs for their campaign in February and March 2023.
Staying ahead of evolution
Cybercriminals are increasingly trying to find ways to get around security, detection, intelligence and controls as APTs start to merge with conventional cybercrime. They’re investing more time on reconnaissance and working to turn emerging technologies into weapons. Their attacks are shifting toward being of a more targeted nature, using precision techniques.
There is no one answer or quick fix for safeguarding your firm from this kind of activity, as is true with other security concerns. Making proactive, behavioral-based detections based on up-to-date, real-time threat data is still one of the best preventative actions you can take. Equipped with this useful intelligence, organizations will be in a better position to protect themselves against threat actors’ toolkits. Protecting the edges of hybrid networks requires integrated, AI and ML-driven cybersecurity platforms with superior detection and response capabilities, supported by actionable threat intelligence. And whether users are on site or remote, zero-trust network access (ZTNA) is essential for protecting access to apps wherever work or learning are happening.
The defender’s response
Due to the expansion of CaaS, security teams will continue to face a high volume of threats that are becoming more complex and boast new variants. Organizations must concentrate on integrating their security technologies and deploying their own tools and tactics, as outlined above, to defend their networks against the evolution of advanced persistent threats.
