APT (advanced persistent threat ) operations have seen an upsurge during the second three months of 2018, particularly those based in Asia, and this includes both well-known and less familiar threat actors. Several groups have targeted or timed their campaigns around sensitive geopolitical incidents reports Kaspersky Lab in its latest quarterly threat intelligence summary.
New tools, techniques and campaigns were seen being launched by APT groups, some of which had been quiet for years. Korean-speaking Lazarus and Scarcruft, were particularly busy, and researchers discovered an implant called LightNeuron being used by the Russian-speaking Turla to target Central Asia and the Middle East.
Following its January 2018 attack against the Pyeongchang Winter Olympic games, researchers discovered what they believed was new activity by the actor behind the Olympic Destroyer, targeting financial organisations in Russia, and biochemical threat prevention laboratories in Europe and Ukraine. Several indicators suggest a low-to-medium confidence link between Olympic Destroyer and the Russian speaking threat actor, Sofacy.
There were indications that Lazarus/BlueNoroff, the high-profile APT was targeting financial institutions in Turkey as part of a bigger cyber-espionage campaign, as well as hitting casinos in Latin America. These operations suggest that financially motivated activity continues for this group, despite the ongoing North Korean peace talks.
LuckyMouse APT, a Chinese-speaking threat actor also known as APT 27, which had previously been observed abusing ISPs in Asia for waterhole attacks through high-profile websites, was also found to be actively targeting Kazakh and Mongolian governmental entities around the time these governments held their meeting in China.
"The report has produced very interesting results in terms of APT activity during this year’s second quarter, providing yet another stark reminder of just how real the threats we predicted have become. One particular area of focus we have repeatedly tried to raise awareness of, in terms of its vulnerability to targeted attacks, is networking hardware. We are continuing to highlight the existence and spread of advanced activity that focuses on these devices," said David Emm, principal security researcher at Kaspersky Lab UK.
Sarb Sembhi, CTO, CISO, Virtually Informed commented in an email to SC Media UK: "One of the most worrying aspects of the findings is that they are based on data in Q2 where new tools, techniques and campaigns have been discovered. In the same way that every data breach will teach new learning, the Threat Groups will have learnt a lot of useful information and have moved their thinking on much further than the defenders. The fact that these groups are so coordinated means that we should be predicting where they are attempting to focus their advancement and what they will be able to do with the advances unless we find responses to the advances made." He added that security vendors must use their resources to deal with tomorrow’s threats not just yesterday’s.