Connect with us

Hi, what are you looking for?



Researchers Spot APTs Targeting Small Business MSPs

Proofpoint warns that APT actors linked to Russia, Iran and North Korea are increasingly targeting small- and medium-sized businesses.

Security researchers at Proofpoint have spotted signs of advanced threat actors targeting small- and medium-sized businesses and the service providers in that ecosystem.

In a new report, the researchers warned of a series of escalating threats to SMBs from well-resourced APT groups and called attention to the risk of supply chain attacks from compromised managed service providers.

The warning from Proofpoint is particularly distressing because small- and medium-sized businesses often lack dedicated security teams and are considered sitting ducks for malware attacks.

The company identified three prominent trends: compromised SMB infrastructure being used in malicious phishing campaigns, regional SMB targeting by state-affiliated actors for financial theft, and the targeting of regional Managed Service Providers (MSPs) for downstream supply chain attacks. 

According to data examined by Proofpoint, the APT actors specifically targeting SMBs include threat actors aligned with the Russian, Iranian, and North Korean state interests. 

“These skilled threat actors are well-funded entities associated with a particular strategic mission that can include espionage, intellectual property theft, destructive attacks, state-sponsored financial theft, and disinformation campaigns. While more rare and often much more targeted than cybercrime activity, Proofpoint data indicates that APT actors remain interested in SMB targets that align with their broader mandates,” the company said.

“This means that some of the most formidable cyber threat actors in the landscape maintain an interest in targeting businesses that are commonly under-protected against cyber security threats such as phishing campaigns,” Proofpoint added. 

Advertisement. Scroll to continue reading.

The report also flagged a noticeable trend of APT actors targeting regional MSPs to initiate and facilitate supply chain attacks.  

“APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end user environments,” Proofpoint said, pointing to a notable case occurred early 2023 when TA450, attributed to Iran’s Ministry of Intelligence and Security, targeted two Israeli regional MSPs and IT support businesses via a phishing email campaign.

The data shows that Iranian-based APT groups are focused on targeting regional technology providers to gain access to downstream SMB users via supply chain attacks originating against vulnerable regional MSPs. 

Related: Ransomware Attack Confirms MSPs Are Prime Targets

Related: Symantec: Chinese APT Group Targeting Global MSPs

Related: Chinese Hackers Spy on U.S. Law Firm, Major Norwegian MSP

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.


Microsoft blames a “Russian-based threat actor” for in-the-wild attacks hitting its flagship Microsoft Outlook and has released a detection script to help defenders.