While we often think of hackers as loners toiling away in their mother’s basement, the modern hacker is increasingly well resourced. Indeed, many of the best hackers in the world get their backing from state forces.
In The Hacker and the State, Georgetown University’s Ben Buchanan argues that rogue states, including China and North Korea, are becoming increasingly aggressive in utilizing cyberattacks to spread discord among their western foes.
The advanced persistent threat report focuses on state sponsored hacking The report, which was based on activities observed during the second quarter of 2021, illustrates the lengths to which state-sponsored groups are going to cause havoc around the world.
The report highlights the activities of Nobelium and APT29 a Russian group, who had undergone a prolonged email campaign against various embassies throughout Europe.
The attacks targeted several hundred different organizations, with a quarter believed to be directly working in human rights, international development, and humanitarian work.
Strontium is another notorious Russian group who shot to public infamy after targeting healthcare organizations involved in the development of vaccines.
Chinese groups were also highly active, although much of their activity seemed to be focused in south-east Asia. The approach was used to attack various telecom companies as well as government agencies.
The researchers identified APT31 (aka ZIRCONIUM), which is an intrusion set involving various compromised small office routers. The group primarily targeted Pakedge routers, but the ultimate endpoint is largely unknown at this stage.
The report also suggests that EdwardsPhesant campaigns continue to pose a threat throughout south-east Asia.
Another advanced persistent threat, BountyGlad, was identified against a certificate authority in Mongolia, with the attack replacing digital certificate management client software with a malicious downloader.
Methods used by the group are not particularly sophisticated, with past activity heavily reliant on spear phishing and Cobalt Strike malware.
The report outlines the growth in activity in state-backed groups from the Middle East. For instance, the researchers highlight the attack made on the Israeli insurance firm Shirbit by BlackShadow. The attack was part of a wider body of work against Israeli targets, with the group believed to originate from Saudi Arabia.
Similarly, WildPressure is another group that has had an ongoing campaign against targets in the region. The researchers identified some new approaches to the malware used by the group which warrant further observation over the coming year.
WIRTE is another group identified as active in the region. The researchers found that their main method of attack was the use of VBS/VBA implants, with most efforts aimed at government agencies.
The researchers reveal that while the tactics, techniques, and procedures of state-backed hacking groups has been largely consistent over time, especially their heavy reliance on social engineering as an initial way to compromise an organization.
A changing landscape
Second quarter of 2021 has seen a rise in the number of supply-chain attacks, and while many were sufficiently high profile to elicit significant media attention, there was also growth in less high profile and considerably low-tech attacks, such as CoughingDown and BountyGlad.
Groups have also been increasingly willing to leverage exploits in systems to gain a foothold, with various zero-day exploits identified and exploited in software like the Exchange server.
Geo-politics is in driving the activity of the various threat actors identified in the report
It is now increasingly difficult to distinguish between the activities of threat actors and the foreign policy ambitions of the regimes that support them. Until the international community reach an agreement on cessation of the cyber warfare that is increasingly rampant, it’s a level of threat that only seems likely to grow in the coming year.
(Image Courtesy: www.home.sophos.com)