Why Should You Care About Chinese APTs and Nation State Attacks? | Lookout
We often think of advanced persistent threats or APTs as threats primarily targeting governments for cyber espionage, but they could have just as much impact on the private sector. Oftentimes, both the techniques and the tooling used overlap between APTs and financially-motivated cybercriminals, and some APT groups themselves have taken to moonlighting as cybercriminals for profit.
Indeed, ongoing research has shown that various North Korean APTs have been funding their country’s nuclear program and espionage activities with stolen cryptocurrency, while Russian APTs have been using Russian-speaking ransomware and hacktivist groups as proxies to further their causes. Nation-states also often outsource cyber espionage efforts to groups that are hard to identify as purely APTs or financially motivated. These third parties use well-known attack vectors so that nation states can keep expensive, hard to discover vulnerabilities to themselves.
China’s APT41 exemplifies this overlap, having targeted public and private organizations, including those in healthcare, high-tech, and telecommunications industries. Recently, Lookout Threat Lab researchers made publicly available their Threat Advisory Service analysis of two mobile malware families associated with the group, called WyrmSpy and DragonEgg, shedding light on their mobile capabilities.
It’s essential to recognize that APTs and organized cybercrime use similar techniques in their attack process. Whether it’s financially motivated threat actors targeting a victim’s bank account or APT groups conducting reconnaissance to enable further operations, many attacks start by targeting mobile devices due to a common lack of protection and the relative ease of social engineering efforts. By understanding the expanding reach of APT activities you can help reduce the risks they pose to your organization.
What are APT attacks and how do they impact enterprises?
APTs are sophisticated cyber groups that are often controlled or sponsored by nation states. They typically employ various techniques such as custom malware, social engineering, zero- or n-day exploits and more for cyber espionage purposes. Their objectives range from gaining unauthorized access to an organization’s network, stealing valuable intelligence or intellectual property, injecting malicious code into a company’s product, to conducting targeted surveillance on individuals. However, there have also been instances where APTs have targeted organizations for financial gain.
A prominent example is the aforementioned APT41, whose members were indicted in 2020 by the U.S. government for compromising over 100 organizations and individuals across the public and private sectors. In the following years, APT41 continued to conduct financially-motivated attacks, such as stealing $20 million in COVID relief benefits from U.S. state governments.
It’s notable that the same methods used for financial gain were also observed to be employed in activities aligned with China’s national interests. This illustrates how APT groups like APT41 can operate with multiple objectives, highlighting the complex nature of their motivations and actions in the cyber landscape.
Implications of APT attacks on the private sector
Economic impact
APT attacks can manifest in various forms, including theft of sensitive data, disruption of operations, and intellectual property theft. Private enterprises are often targets of nation-state actors because they have data that foreign entities often desire, this could include valuable trade secrets or business operation plans.
Reputational damage
Reputational damage is a major consequence of successful APT attacks, as it can significantly impact an organization’s standing. Many organizations are specifically targeted for the data they possess on customers and users of their services, such as a hotel being compromised to gather information on targets who may be staying there. Such attacks can erode customer trust and damage relationships, resulting in lost business opportunities.
Supply chain risks
Supply chain attacks exploit vulnerabilities within the supply chain to facilitate further attacks, targeting systems and compromising customer trust. The compromise of a third party within the supply chain can have far-reaching consequences, impacting multiple organizations connected to the chain.
Regulatory compliance
Inadequate protection of sensitive data can lead to legal consequences and regulatory penalties. Non-compliance with regulations related to data privacy and security exposes organizations to financial liabilities and reputational damage.
How can enterprises safeguard against APT mobile campaigns?
Mobile devices often lack the same level of security controls as traditional endpoints, making them increasingly vulnerable targets for APT attacks. As seen in APT41’s WyrmSpy and DragonEgg deployment, mobile devices enable threat actors to gain sophisticated surveillance capabilities and access to sensitive data.
To ensure your security operations aren’t blind to mobile-specific attacks, you need an intelligence-driven defense that combines both the ability to threat hunt within your corporate environment and consistent and up-to-date threat intelligence on the evolving landscape.
Organizations often have those capabilities for traditional endpoints, but we are seeing mobile devices being leveraged as an initial access vector more frequently in recent attacks. This is partially due to their increased role as a source of user identity authentication. Mobile devices are also increasingly leveraged to access valuable data, including those with compliance requirements.
To ensure that mobile is covered as part of your intelligence-driven defense, here are some steps you should consider:
- Include mobile within your threat intelligence: By gathering and analyzing threat intelligence that is specific to mobile threats, including indicators of compromise (IOCs) and emerging attack techniques, organizations can identify patterns, assess risk levels, and prioritize their security efforts. Lookout researchers commonly observe overlapping mobile and desktop attacks when analyzing APT campaigns, which highlights how crucial it is to understand both vectors.
- Implement proactive mobile defense measures: Use the insights gained from mobile threat intelligence and analysis to proactively implement security controls and countermeasures for mobile devices. This can involve deploying mobile-specific detection and response systems that include mobile-specific user and device analytics, security orchestration playbooks and adopting mobile into their risk management methodologies.
- Incorporate mobile into incident response: Intelligence-driven defense allows security teams to understand the nature of a mobile attack, trace its origin, and take appropriate actions to minimize the impact and prevent future occurrences on mobile platforms. By incorporating mobile threat intelligence, incident response efforts can help validate or refute attack origins. This includes having mobile endpoint and response (EDR) capabilities so your security teams can minimize or mitigate attacks from APT groups who may leverage mobile in their TTPs.
- Information Sharing and Collaboration: Engage in proactive information sharing and collaboration with other organizations, industry partners, and government agencies to strengthen collective defense against mobile threats. By exchanging mobile threat intelligence, organizations can enhance their ability to detect advanced attacks, proactively defend against mobile threats, and respond effectively during security incidents.
Strengthening defenses against APT attacks in today’s threat landscape
Safeguarding your organization against APT attacks and their mobile campaigns is vital in today’s threat landscape. APT attacks, including those orchestrated by groups like APT41, illustrate that they are ready to attack other nations and private companies.
Mobile devices are increasingly being leveraged by both APTs and financially-motivated threat actors. It’s no longer enough to have coverage of traditional endpoints and threat vectors.
If you have any questions about APTs or how to defend against mobile threats, feel free to reach out to us.
*** This is a Security Bloggers Network syndicated blog from Lookout Blogs authored by Lookout Blogs. Read the original post at: https://lookoutstaging.webflow.io/blog/mobile-apt-cyber-espionage