Kaspersky Labs recently released its report on Q3 2017 APT Threats. The report looks in depth at advanced persistent threats (APT), a type of network attack in which an unauthorized user gains access to a network and remains there for a long period of time undetected. APT attacks are focused on sectors with high-value information, such as the financial and manufacturing industries and government operations, such as national defense.
Kaspersky’s Global Research and Analysis Team (GReAT) started to publish quarterly summaries of its own private threat reports in Q2 2017, and intends to do so on an ongoing basis. Its latest report focuses on APT threats in Q3 of 2017.
Kaspersky Lab summarized its findings largely by geographic area.
Chinese-Speaking Actors
10 of 24 of Kaspersky’s reports related to activity among Chinese-speaking actors who are conducting espionage against a significant number of countries and industry verticals. The 10 reports are listed on Kaspersky’s website and a full copy of any specific report can be requested there.
It was noted that China showed particular interest in Russia’s policies and negotiations with other countries. Kaspersky noted three incidents in which Russia held talks with another country and both were targeted shortly afterwards. IronHusky, for instance, was a campaign discovered in July aimed at Russia and Mongolia. Shortly after talks were held between the two countries on modernizing Mongolian air defenses, both countries were made targets of a Poison Ivy variant by a Chinese-speaking threat actor.
Kaspersky noted the most interesting of these reports being “focused on two specific supply chain attacks; Netsarang/ShadowPad and CCleaner”. Netsarang is a server management software used worldwide. Kaspersky discovered the malware ShadowPad embedded within the installation packages on the Netsarang distribution site. ShadowPad was a previously unknown malware. It contained a remotely activated backdoor that the threat actor could trigger via a specific value in a DNS TXT record. Other security researchers suggested the threat actor was BARIUM. In September, another supply chain attack occurred involving CCleaner, a cleaner/optimization tool for PCs. The actors involved signed the malicious installation packages with a legitimate Piriform code signing certificate, allowing it to push the malware in August and September.
Russian-Speaking Actors
Kaspersky released four reports on Russian-speaking threat actors, two of which focused on ATM malware, another was a summary of Sofacy activity across the summer and the fourth, related to financial targeting in Russia and Ukraine.
The ATM malware reports related to two previously unknown types of malware: “Cutlet Maker” and “ATMProxy”, both allowing the users to dispense cash from a chosen cartridge embedded in the ATMs. ATMProxy is interesting in being a new way to steal from ATMs. The malware sits dormant on the ATM until a card, which has a unique hard coded number, is inserted, at which point the ATM will more cash than what was asked for.
The report summarizing Sofacy’s summertime activity showed that the group remained active with their favored payloads: SPLM, GAMEFISH and XTUNNEL. Targeting remained focused on European defense entities, Turkey, and former republics.
The final report looked at a new technique targeting financial organizations in Russia and the Ukraine with Buhtrap. Buthrap has been in existence since 2014 at least, but these attacks leverage search engine optimization (SEO) to boost malicious watering hole sites to the top of search results, allowing for more opportunity for targets to visit the malicious sites.
Korean-Speaking Actors
Kaspersky wrote two reports on Korean-speaking threat actors, specifically related to Bluenoroff and Scarcruft. Bluenoroff hit a Costa Rican casino using Manuscrypt. It had previously gained access to the same casino six months ago, indicating they likely lost access and were trying to regain a foothold. The other report looked at how Scarcruft was targeting high profile, political entities in South Korea employing malware used for espionage and destructive malware.
English-Speaking Actors
Kaspersky’s single report on English-speaking actors focused on “yet another member of the Lamberts family”. Its investigations of Red Lambert (a new actor to Kaspersky) allowed the researchers to uncover a potential operational security (OPSEC) failure on the actor’s part, which has led GReAT to a particular company who they believe may be behind the development of the Lambert malware.
Other Activity
Kaspersky ‘s final seven reports focused on a range of “uncategorized” actors across Q3. These range from The Silence – a new Trojan attacking financial organizations to one on the Crystal Finance Millenium website employed to launch a wave of attacks in Ukraine.
Takeaways: Q3 2017 APT Threats
Kaspersky noted in particular the alarming growth in supply chain attacks.
“Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia. While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous.“
Compromising the supply chain opens up access to a much wider range of targets than available via traditional means such as spear phishing.