Connect with us

Hi, what are you looking for?


Network Security

How Next-Gen Threats Are Taking a Page From APTs

Cybercriminals are increasingly trying to find ways to get around security, detection, intelligence and controls as APTs start to merge with conventional cybercrime.

One of the ongoing threats that defenders have to deal with is APTs: advanced persistent threats. APT attackers use more complex tactics to compromise networks than a typical attacker might, such as the deployment of a Trojan or other straightforward software. For instance, an APT attacker may employ complex espionage techniques over an extended period of time and involve numerous individuals inside an organization to achieve their ultimate objective.

Although a company of any size could become a target, high-profile APT attacks have generally targeted notable companies, critical infrastructure or governments. However, we’re seeing these types of attacks being used beyond these specific types of targets, and it’s alarming that traditional cybercrime organizations are now using them, too. And what we’re increasingly seeing is that not only are these threats evolving, but bad actors are learning from these techniques and applying them to other types of attack methods.

The evolution of APTs

Wiper malware is a good illustration of how APT-style activities and common cybercrime are converging. Wipers are a tool that we frequently see nation-state actors using, whereas non-APT criminal groups typically disseminate malware like ransomware.

We saw this expand significantly last year. We observed a revival of wiper malware in the first half of last year, and this devastating attack strategy only expanded its beachhead in the second half.  Our FortiGuard Labs researchers saw that the spread of wiper malware into new nations caused a 53% increase in wiper activity between the third and fourth quarters of 2022.

Even though wiper malware was initially developed and spread by nation-state APT actors, especially in tandem with the Russia-Ukraine war, we are now witnessing its scaling and global deployment. Cybercriminal organizations are increasingly using these novel strains in their expanding Cybercrime-as-a-Service (CaaS) network. The threat posed by wiper malware is now more pervasive than ever, and all companies, are possible targets. Additionally, cybercriminals are currently creating their own wiper software, which is being used effortlessly throughout CaaS organizations.

It’s not just wipers that are taking a page from APTs

Advertisement. Scroll to continue reading.

As well as the converging threats that attackers use to accomplish their new, more destructive objectives, broad cybercrime attack playbooks are also becoming more targeted. This is a change within conventional cybercrime, as typically it’s APT groups that are known for their focused playbooks.

Our security research team has recently noticed two important developments in this space. The first is SideCopy’s stealthy work. The SideCopy APT organization is well-known for using comparable TTPs (Tactics, Techniques and Procedures) and sometimes the same infrastructures as another group from Pakistan called “Transparent Tribe.” SideCopy has been known to be a branch of Transparent Tribe. The gang was purportedly given the name “SideCopy” because they used an infection chain that was lifted from the well-known Indian threat actor group SideWinder in an effort to elude detection. Though SideCopy mostly targets Windows systems, there are claim that they have infected Mac and Linux computers with malware.

The second is Donot APT, also called SectorE02 and APT-C-35. Since at least 2016, this threat actor has targeted businesses and people in Sri Lanka, Bangladesh, Nepal and Pakistan. To find its victims, Donot uses spear-phishing emails armed with malicious documents.

We have seen that the gang continues to target its victims with malicious documents. In the beginning of 2023, we saw this actor using maldocs. The majority of the maldocs we found date back to about 2021, but all of them were tied to domains registered within the last 30 days. This shows that the threat actor used previously created maldocs for their campaign in February and March 2023.

Staying ahead of evolution

Cybercriminals are increasingly trying to find ways to get around security, detection, intelligence and controls as APTs start to merge with conventional cybercrime. They’re investing more time on reconnaissance and working to turn emerging technologies into weapons. Their attacks are shifting toward being of a more targeted nature, using precision techniques.

There is no one answer or quick fix for safeguarding your firm from this kind of activity, as is true with other security concerns. Making proactive, behavioral-based detections based on up-to-date, real-time threat data is still one of the best preventative actions you can take. Equipped with this useful intelligence, organizations will be in a better position to protect themselves against threat actors’ toolkits. Protecting the edges of hybrid networks requires integrated, AI and ML-driven cybersecurity platforms with superior detection and response capabilities, supported by actionable threat intelligence. And whether users are on site or remote, zero-trust network access (ZTNA) is essential for protecting access to apps wherever work or learning are happening.

The defender’s response

Due to the expansion of CaaS, security teams will continue to face a high volume of threats that are becoming more complex and boast new variants. Organizations must concentrate on integrating their security technologies and deploying their own tools and tactics, as outlined above, to defend their networks against the evolution of advanced persistent threats.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...