Kaspersky report highlights the growth in state-sponsored hacking

While we often think of hackers as loners toiling away in their mother's basement, the modern hacker is increasingly well resourced. Indeed, many of the best hackers in the world get their backing from state forces. In The Hacker and the State, Georgetown University’s Ben Buchanan argues that rogue states, including China and North Korea, are becoming increasingly aggressive in utilizing cyberattacks to spread discord among their western foes.

It’s perhaps no surprise, therefore, that state sponsored hacking is the focus of cybersecurity firm Kaspersky’s latest advanced persistent threat report. The report, which was based on activities observed during the second quarter of 2021, illustrates the lengths to which state-sponsored groups are going to cause havoc around the world.

For instance, the report highlights the activities of the Kremlin-backed Nobelium and APT29, who had undergone a prolonged email campaign against various embassies throughout Europe, alongside think tanks, government agencies, and other non-governmental organizations. In total, the attacks targeted several hundred different organizations, with a quarter believed to be directly working in human rights, international development, and humanitarian work.

These attacks are important because they clearly show the willingness and ability for Kremlin-backed groups to target key infrastructure and institutions. For instance, Strontium is another notorious Russian group who shot to public infamy after targeting healthcare organizations involved in the development of vaccines. They had also previously attacked anti-doping organizations after Russian athletes were banned from international competition for systemic cheating.

Chinese activity

Chinese groups were also highly active, although much of their activity seemed to be focused in south-east Asia. For instance, the researchers identified a toolset that had been in use for over a year that enables malware artefacts to be hidden from security software and investigators. The approach was used to attack various telecom companies as well as government agencies.

The researchers also identified APT31 (aka ZIRCONIUM), which is an intrusion set involving various compromised small office routers. This was used to attack targets in Europe, with the attackers deploying Cobalt Strike malware and then relaying communications via the infected network. The group primarily targeted Pakedge routers, but the ultimate endpoint is largely unknown at this stage.

The report also suggests that EdwardsPhesant campaigns continue to pose a threat throughout south-east Asia.

While the true extent of their activities, which are believed to utilize DropPhone implants, remains unknown, it is something the researchers are keeping a keen eye on over the remainder of the year.

Another advanced persistent threat, which the researchers believe is called BountyGlad, was identified against a certificate authority in Mongolia, with the attack replacing digital certificate management client software with a malicious downloader. The researchers go on to say, however, that the methods used by the group are not particularly sophisticated, with past activity heavily reliant on spear phishing and Cobalt Strike malware.

Middle East threats

While not as widely discussed as Russian and Chinese hackers, the report outlines the growth in activity in state-backed groups from the Middle East. For instance, the researchers highlight the attack made on the Israeli insurance firm Shirbit by BlackShadow. The attack was part of a wider body of work against Israeli targets, with the group believed to originate from Saudi Arabia.

Similarly, WildPressure is another group that has had an ongoing campaign against targets in the region. The researchers identified some new approaches to the malware used by the group which warrant further observation over the coming year. WIRTE is another group identified as active in the region. The group first came to attention in 2019 and are believed to be linked to the Gaza Cybergang group. The researchers found that their main method of attack was the use of VBS/VBA implants, with most efforts aimed at government agencies.

A changing landscape

The researchers reveal that while the tactics, techniques, and procedures of state-backed hacking groups has been largely consistent over time, especially their heavy reliance on social engineering as an initial way to compromise an organization, there has also been signs of evolution among hacking groups in terms of their approach.

For instance, the second quarter of 2021 has seen a rise in the number of supply-chain attacks, and while many were sufficiently high profile to elicit significant media attention, there was also growth in less high profile and considerably low-tech attacks, such as CoughingDown and BountyGlad. Groups have also been increasingly willing to leverage exploits in systems to gain a foothold, with various zero-day exploits identified and exploited in software like the Exchange server.

What is perhaps most evident from the analysis is how crucial geo-politics is in driving the activity of the various threat actors identified in the report. 

It is now increasingly difficult to distinguish between the activities of threat actors and the foreign policy ambitions of the regimes that support them. Until the international community reach an agreement on cessation of the cyber warfare that is increasingly rampant, it’s a level of threat that only seems likely to grow in the coming year.