APT-style mercenary groups challenge business threat models

Not everyone is a target for cyber espionage. That's the premise on which many businesses built their threat models and cyber defence capabilities.

Unfortunately, that's rapidly changing. Hacker-for-hire groups that sell their services to private entities are popping up on the radar of security companies and creating a blindspot for many organisations that are not prepared to deal with advanced persistent threats (APTs).

Last week, security firms Kaspersky Lab and Bitdefender independently released reports about two such mercenary groups. One was seen targeting law firms and companies in the financial sector, while the other targets architectural and video production companies. These are just the latest examples in a series of similar reports over the past couple of years.

"We’ve recently seen a trend in which the tactics and techniques used in the past by state-sponsored APT groups have now been used in attacks on smaller companies," Liviu Arsene, global cyber security researcher with Bitdefender, tells CSO.

"This potentially points to a new APT-as-a-service model that sophisticated threat actor groups could be offering. Just as the transition to malware-as-a-service marked a new chapter in the cyber crime industry, APT-as-a-service where mercenary hackers that may have sharpened their skills either in state-sponsored attacks or as part of other larger APT groups, could become the new norm."

DeathStalker and common scripting languages

Kaspersky's report focuses on the recent activities of a mercenary group the company dubbed DeathStalker, whose tools bear some close similarities to other malware implants going as far back as 2012.

The group was recently seen targeting entities that work in or with the financial sector including law offices, wealth consultancy firms and financial technology companies. Victims were identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.

DeathStalker's current implant is called Powersing and is written in PowerShell, an often-abused scripting language that's included with Windows and is used to automate system administration tasks. The malware is delivered via spear-phishing emails with attached archives that contain a malicious LNK file.

The Powersing payload is notable for reaching out to various "dead drops" on social media websites and getting the URL of the command-and-control (C&C) server from comments with encoded text left by the authors. Sites used for the dead drops include Google+, Imgur, Reddit, Tumblr, Twitter, YouTube and WordPress.

Powersing periodically contacts the C&C server for commands and has two functionalities: capture periodic screenshots from the victim’s machine and send them to the C&C server, and execute arbitrary Powershell scripts provided by the C&C.

These two simple features give attackers a lot of power. One allows them to perform reconnaissance on the victim and the second to extend the compromise through manual hacking.

Kaspersky Lab has identified similarities in the method of distribution -- LNK files -- as well as use of dead drops and even some code similarities with two other malware families seen in the past called Janicab and Evilnum, which are written in different scripting languages, VBE and JavaScript.

Kaspersky's researchers say that none of the similarities offer definitive proof, but they believe with medium confidence that Powersing, Evilnum and Janicab are operated by the same group.

Based on the type of victims and information the hackers are after, Kaspersky Lab believes DeathStalker is a group of mercenaries that offers hacking-for-hire services for private customers or which acts itself as an information broker in financial circles selling the data it captures.

"We believe that DeathStalkers chooses its targets purely based on their perceived value, or perhaps following customer requests," Kaspersky said in its report. "In this context, we assess that any company in the financial sector could catch DeathStalker’s attention, no matter its geographic location."

Mercenary group uses targeted attack vector

In its recent report, Bitdefender documented a recent APT-style attack against a company with officers around the world that is engaged in architectural projects with real-estate developers in New York, London, Australia and Oman. Its customers also include high-profile architects and world-renowned interior designers.

What's noteworthy about the group tracked by Bitdefender is that the hackers delivered their malware implant as a rogue plugin for Autodesk 3DS Max, a popular program for 3D animation and modelling. This suggests the group knew exactly who its target was, what data they were after, and what software they could exploit to get in.

"During the investigation, Bitdefender researchers also found that threat actors had an entire toolset featuring powerful spying capabilities," the company said.

"Based on Bitdefender’s telemetry, we also found other similar malware samples communicating with the same command and control server, dating back to just under a month ago. Located in South Korea, United States, Japan and South Africa. It’s likely the cyber criminal group might have also been targeting select victims in these regions as well."

In June, Bitdefender released a report about another suspected mercenary group dubbed StrongPity that has the traits of a mercenary cyber criminal group with both financial and geo-political objectives.

Another older APT group known as Barium or Winnti that was responsible for a string of supply chain attacks involving popular software has also shown both a cyber espionage and a financial interest in the past through its operations and victimology.

Is APT for hire a new trend?

There have always been hackers-for-hire in the Internet's underworld. There is even evidence that nation-states like China and Russia recruit hackers from cyber crime circles for their intelligence operations.

Those hackers then learn sophisticated APT-style techniques, tactics and procedures (TTPs) that can then be used in their criminal activities as well. Or they can set up mercenary groups and sell their skills to private entities who want to spy on their competitors or manipulate the financial markets.

Some groups are even funded, trained and supported by nation-states that sell hacking services to third-party customers. This is the case of North Korea. In April, the US Departments of State, the Treasury, Homeland Security and the FBI issued a join advisory on North Korean cyber threats which mentioned that "DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients."

"I find it a fascinating story that's a really important reminder of how much more complex the cyber threat landscape is, and I don't think the current discourse in the newspapers or by policy makers is taking that into account," says Tim Maurer, author of the book Cyber Mercenaries: The State, Hackers, and Power and co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, a foreign-policy think tank.

"I think very few people are actually fully aware of those different types of dimensions. North Korea has to make a lot of money, and therefore they're behaving in a unique way. But it also raises some interesting questions of how the proliferation of cyber capabilities may be driven internationally because of that behaviour."

According to Maurer, these different hats that some hackers or hacker groups might have, government agents and hacker-for-hire on the side, make it hard for organisations to know what the actual intent of the attackers were when they are hacked and what might happen to the stolen data or how it might be used.

The growing number of mercenary groups that offer hacker-for-hire services is also part of another big trend that has been driven by the commoditisation and public release of APT-style techniques and tools over the past few years.

Many cyber criminal groups and ransomware gangs use manual hacking and fileless execution techniques, abuse scripting languages and dual-use tools that are also used by system administrators or IT security professionals, engage in months-long reconnaissance and lateral movement operations inside networks, develop customised payloads for each victim, and more.

Even small- and medium-sized companies at risk for APTs

So can any organisation, big or small, regardless of industry, afford not to have APTs in their threat models? The answer is increasingly becoming "no," and that raises a serious problem for small- and medium-sized organisations in particular because they don't have the security products, budgets or skilled staff required to detect and respond to such attacks.

"Small- and medium-sized businesses will have to completely overhaul their threat model, build new security strategies, and readjust their security budgets," Bitdefender's Arsene tells CSO. "If in the past most APT-level breaches on SMBs were part of supply-chain attacks, APT mercenaries offering their services to the highest bidder could practically mean open season for small- and medium-sized companies."

"I do think for most organisations it makes sense to migrate to the cloud, because then they are better protected, as the security teams of cloud service providers are able to more effectively detect and protect against APTs,"  Maurer tells CSO.

"If you are a small company and you may have just one person who is busy just trying to keep up with the latest patches, you don't have the bandwidth to be effectively protected against more advanced threats. I don't think that will end anytime soon.

"Over the last decade alone the number of nation-state actors with offensive cyber capabilities has grown from half a dozen countries to now over 30 countries. The proliferation of knowledge and capabilities continues to outpace how countries [and organisations] can effectively protect themselves."

Maurer also feels that cloud providers have a reputational interest to continuously invest in good security and keep their customers protected, because any news story about the breach of one of their customer's cloud assets will also mention the cloud provider's name, whether they were responsible or not.

That said, most cloud breaches often occur because of insecure configurations and the responsibility for that sits ultimately with the user of the platform. While migrating to the cloud might alleviate the networking monitoring burdens for some organisations, they still need to ensure that their cloud servers and assets are securely configured.

Other options, according to Arsene, are endpoint detection and response (EDR) and managed detection and response (MDR) solutions, which have become affordable even for SMBs and can offer a level of security that was previously only available to enterprises who built their own security operations centers.

"The biggest challenge for small businesses, especially in highly competitive and financially driven verticals, is both the lack of qualified security and IT personnel as well as the lack of security tools capable of spotting suspicious behaviour," Arsene tells CSO.

"Small- and medium-sized companies should be focusing on augmenting their security stack with more than just malware-detecting security software, but with visibility tools both at the endpoint and network layers.

"The lack of qualified security personnel could be addressed by turning to managed detection and response teams that both assess the company’s infrastructure and propose security and hardening tools, but also act as specialised security hunting teams that perform threat hunting on suspicious events."