The number of Advanced Persistent Threats, or APTs, targeting groups and organizations in Asia and the Middle East dramatically increased during the first three months of the year. This pattern includes an attack targeting the 2018 Winter Olympics in South Korea, according to a new report from Kaspersky Labs.
Of the 27 different reports Kaspersky tracked during the first quarter of this year, about 27% of APTs happened in Asia, including the Olympic Destroyer attack that targeted the Pyeongchang games in February. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)
APTs are typically associated with governments and nation-states and these attacks are usually associated with either ongoing espionage schemes or long-term attempts to steal sensitive data.
In an email to Security Now, Vicente Diaz, principal security researcher for Kaspersky Lab Global Research & Analysis, wrote that APTs and the groups behind them try to cover their tracks through a host of different techniques. These include using generic tools, or the nation-states themselves hiring tools from external companies. In addition, APTs are asking third parties to participate in information gathering operations or having small external groups dedicated to certain campaigns.
Combined, these make APTs hard to track.
"Attributing attacks is becoming increasingly difficult -- sometimes we are only able to get a few language traces, and sometimes the artifacts and TTPs [Tactics, Techniques and Procedures] used by attackers might provide additional clues," Diaz wrote. "Generally speaking, victims are a good method for us to understand the purpose of a given campaign and what the attacker's interest might be, which sometimes might align with nation-states."
In many cases, Kaspersky found the groups behind these attacks favored targeting routers. In one case, the firm found attackers targeting routers made by Mikrotik and using the hardware as an infection vector as a way to get to the ultimate victim of the attack.
By examining these APTs, Kaspersky found that the threats are growing in sophistication and scope. At the same time, different tools and capabilities are making cyberespionage easier.
In its April 12 blog, Kasperksy noted:
We have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let's admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities.
For example, Kaspersky found that many APTs now take advantage of Microsoft PowerShell and have used that as a resource to spread malware. (See Nasties Abound: Symantec's Q3 Threat Report.)
While APTs have boomed in Asia, the Middle East has seen a significant increase as well. The report points to one group, dubbed StrongPity APT, which launched several Man-in-the-Middle (MiM) attacks targeting IPS networks in that region.
The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!
Overall, Kaspersky researchers identified three new APTs groups during the first quarter of 2018. These included:
- A Chinese-speaking group dubbed Shaggypanther, which appears to have been targeting government entities in Taiwan and Malaysia since at least 2008. This APT typically uses encrypted payloads in the registry keys.
- The second group is called Sidewinder and has mainly focused on Pakistan military targets since 2012. This APT has exploited known vulnerabilities in Microsoft Office -- specifically CVE-2017-11882 -- as well as using PowerShell payloads.
- Finally, Kaspersky found a Chinese-speaking group called CardinalLizard. Since 2014, this APT has focused on Philippines, Russia, Mongolia and Malaysia and uses customized malware that features anti-detection and anti-emulation technology.
Finally, Kaspersky also looked at the side-channel vulnerabilities found earlier this year in x86 microprocessors called Spectre and Meltdown. The company noted that although the big chipmakers, Intel especially, have been issuing patches, there's no real way to fix these issues. (See Intel Will Leave Some Chips Without Spectre Patch.)
However, the report noted that no attacks targeting the Spectre and Meltdown vulnerabilities have not been found in the wild, although Kaspersky did find some proof-of-concept designs.
Editor's note: This article was updated with additional information from Kaspersky.
— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR