In the first three months of 2019, Kaspersky Lab researchers observed an active landscape of advanced threat operations that was centered mainly on South East Asia, increasingly influenced by geopolitics, and which featured cryptocurrency and commercial spyware attacks as well as a major supply-chain campaign. These and other trends are covered in Kaspersky Lab’s latest quarterly threat intelligence summary.
The quarterly APT trends summary is drawn from Kaspersky Lab’s private threat intelligence research, as well as from other sources, and highlights the main developments that researchers believe everyone should be aware of.
In the first quarter of 2019, Kaspersky Lab researchers observed a number of interesting new developments. The defining APT campaign reported during the quarter was operation ShadowHammer: an advanced, targeted campaign using the supply-chain for distribution on an incredibly wide scale, combined with carefully implemented techniques for the precision targeting of intended victims.
Further APT highlights in Q1, 2019 include:
Geopolitics featured as a key driver of APT activity – with often a clear correlation between political developments and targeted malicious activity.
South East Asia remained the most frenetically active region of the world in terms of APT activity, with more groups, more noise, and more sets of activity targeting the region than elsewhere.
Russian-speaking groups kept a low profile in comparison with recent years. This could be due to an element of internal restructuring, although there remained a steady drumbeat activity and malware distribution by Sofacy and Turla.
Chinese-speaking actors continued to maintain a high level of activity, combining both low and high sophistication depending on the campaign. For example, the group known to Kaspersky Lab as CactusPete, active since 2012, was observed in Q1 with new and updated tools, including new variants of downloaders and backdoors and an appropriated and then repackaged VBScript zero-day belonging to the DarkHotel group.
Providers of “commercial” malware available to governments and other entities seem to be thriving; researchers observed a new variant of FinSpy in the wild, as well as a LuckyMouse operation deploying leaked HackingTeam tools.
“Looking back at what has happened during a quarter is always a surprising experience. Even when we have the feeling that “nothing groundbreaking” has occurred, we uncover a threat landscape that is full of interesting stories and evolution on different fronts – including, in Q1, sophisticated supply chain attacks, attacks on cryptocurrency and geopolitical drivers. We know that our visibility is not complete, and there will be activity that we do not yet see or understand, so just because a region or sector doesn’t appear on our threat intelligence radar today doesn’t mean it won’t in the future. Protection against both known and unknown threats remains vital for everyone,” said Vicente Diaz, Principal Security Researcher, Global Research and Analysis Team, Kaspersky Lab.
The APT trends report for Q1 summarizes the findings of Kaspersky Lab’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend implementing the following measures:
Provide your SOC team with access to the latest Threat Intelligence, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
As many targeted attacks start with phishing or other social engineering technique, introduce security awareness training and teach practical skills, for example through the Kaspersky Automated Security Awareness Platform.