APT actors up their game; is it only a government concern or do enterprises need to pay more attention?

News by Davey Winder

CISOs roll their eyes when they hear 'APT', or say they're not a real threat to most organisations, but they are on the rise, and their hacking techniques do pose a threat as they get weaponised by cyber-criminals.

The advanced persistent threat (APT) attack has, for the longest time, been associated with nation-state actors with either a political or financial motive. While government and military targets might nicely slot into the former motivation, commercial enterprises most certainly fulfilled the latter and often blurred the boundaries between the two.
After all, a vendor providing parts to a manufacturer of weapons might be a source of both actionable data and a route into the networks of the more valuable manufacturer itself. Often, much emphasis has been placed upon the advanced part of the APT acronym when, in fact, persistence has always been key to this attack methodology. The latest "APT Q3 2019 Trends" report from Kaspersky would appear to confirm this assumption. 
According to Kaspersky, there has been an increase in APT activity across the third quarter of the year, and an increase in the usage of previously unknown malicious toolsets. The common denominator being the desire to remain undetected and so enable that persistence at the heart of every APT campaign.
Picked out by Kaspersky as deserving of particular attention is the Turla group, also known as Venomous Bear, Uroburos and Waterbug, which it says, "with some degree of confidence," started using a new .NET-based backdoor called Tunnus. This has "the ability to run commands or perform file actions on an infected system and send the results to its command-and-control servers," the report states.
Turla has also been spotted wrapping its KopiLuwak malware in a new .NET dropper called Topinambour. Two KopiLuwak analogues, a .NET Trojan called RocketMan and a PowerShell Trojan known as MiamiBeach, both used for cyber-espionage purposes, help dodge detection by targets using security solutions that can detect KopiLuwak itself. 
"Just as we predicted last year, in seeking to evade detection, threat actors refresh their toolsets and go into deep waters," says Vicente Diaz, a security researcher with the Kaspersky Global Research and Analysis Team. "This is a challenge for researchers," Diaz continues, "when a new campaign is observed, it’s not always immediately clear whether the tools used are the result of an established threat actor revamping its tools, or a completely new threat actor making use of the tools developed by an existing APT group."
SC Media UK asked the wider security professional community just how much of a real-world threat these APT actors are to the average enterprise outside of the government and military sectors?
"The security industry has spent time understanding APTs and linking them into larger security frameworks, such as the Mitre Framework, which sets out to define attacks and threats so that defences can be more accurately modelled," says Richard Archdeacon, advisory CISO at Duo Security, who adds that while CISOs and their teams are always looking for relevant information that will support their programmes, the term APT is overused. "Even if it's accurate," Archdeacon warns, "CISOs tend to roll their eyes when they hear it."
Which Joseph Carson, chief security scientist at Thycotic, doesn't seem to see as much of a problem. "APTs are absolutely not a real threat to most organisations," Carson told SC Media UK, "however, they can learn from the hacking techniques used as over time they tend to get weaponised by cyber-criminals who then reuse those techniques for financially motivated attacks, which then do target most organisations." Of course, Carson concedes that if your organisation is affiliated with a government agency, politically associated or part of critical infrastructure then "you do need to be concerned about APTs and assess your business risks associated with such threats."
David Grout, CTO (EMEA) at FireEye disagrees. "Every C-level executive and board member must know and understand the risk when it comes to APT groups," Grout insists, "too many businesses are under the impression that only government organisations are at risk of being targeted by an APT." Europe has, after all, become something of a hub for innovation with start-ups, universities and businesses ploughing investment into next generation technologies. This makes them "attractive targets for APT groups and cyber-espionage," Grout warns.
The truth of the matter, then, is that the average enterprise is at risk from all sorts of attack groups and methodologies, and that can include those with purely criminal intent as well as the more politically-motivated threat actors. "Considering the immense burden of legacy systems, difficulties of running up to date software and the lack of visibility into what is actually going on," says Daniel Goldberg, senior security researcher at Guardicore, "enterprises are, and will continue to be, compromised by any group that puts in a modest effort over time."
Which makes the concluding comment from Richard Cassidy, senior director of security strategy at Exabeam, all the more pertinent: "It's not APT groups we should worry about. It's poor security practices and lack of data analysis controls. This is the reason APTs find success in the first place."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews