Over the past 12 months, the style and severity of APT threats has continued to evolve. Despite their constantly changing nature, there is a lot we can learn from recent APT trends to predict what might lie ahead in the coming year.
Based on the collective knowledge and insights of our experts, we have developed key predictions for where APTs are likely to strike next, and to help potential targets stay on their guard.
Let’s start by looking at the predictions we made for 2021.
APT threat actors will buy initial network access from cybercriminals
Last year, we foresaw the APT and cybercrime worlds becoming more porous on an operational level. In particular, we expected APT actors to leverage deep-web marketplaces where hackers sell access to the companies they have broken into. This prediction appears to have come true only a few days ago. Blackberry released a report centered around an entity they call Zebra 2104 and which appears to be an “initial access broker”. According to their research, Zebra 2014 has provided ransomware operators with an initial foothold into some of their victims. But more interestingly, it looks like the StrongPity APT has used their services as well, despite being focused entirely on intelligence collection. Due to the fact that this is the sort of activity that would take place during the preparation stages of an attack – stages that we typically have no visibility into, there may be more occurrences of such interactions between APTs and the cybercrime world that we’re unaware of.
More countries using legal indictments as part of their cyberstrategy
In 2020, we predicted that governments would adopt a “name and shame” strategy to draw attention to the activities of hostile APT groups, a trend that has evolved even more in the last year. We also predicted that countries would start using the full extent of the law to disrupt and punish adversary operations and this proved absolutely correct.
On April 15, the White House formally blamed Russia for the SolarWinds supply-chain attack. This announcement was accompanied by sanctions against several companies that the Treasury Department said were involved in supporting offensive operations.
On July 1, the NSA, the FBI, CISA (Cybersecurity and Infrastructure Security Agency) and the UK’s NCSC issued a joint advisory warning of hundreds of attempted brute-force intrusions around the world, attributed to Sofacy, also known as APT28 and Fancy Bear. The targets included government and military agencies, defense contractors, political parties and consultancies, logistics companies, energy firms, universities, law firms and media companies.
On July 19, the US announced its intention to call out “irresponsible and destabilizing behavior in cyberspace” – supported by NATO, the EU and the UK. The statement from the White House specifically mentioned the recent exploitation of the Microsoft Exchange zero-day vulnerabilities. The US Department of Justice has also indicted four alleged members of APT40 for illicit computer network activities.
The Israeli Defense Forces (IDF) have claimed that threat actors have been using catfishing to lure Israeli soldiers into installing spyware. The attackers used six social media profiles on Facebook, Instagram and Telegram to catch the attention of male targets, establish a rapport with them and finally lure them into installing apps purporting to provide private chat functionality on their phones.
On September 24, the EU issued a statement regarding a disinformation campaign called “Ghostwriter”, ongoing since March 2017, intended to discredit NATO. The campaign is said to involve breaking into news websites or social media accounts of government officials in order to publish forged documents, fake news and misleading opinions meant to sway elections, disrupt local political eco-systems and create distrust of NATO. Despite threats, the EU ultimately decided not to impose sanctions.
Overall, we clearly observed a shift where cyber-incidents are now being handled through legal means such as indictments, instead of diplomatic channels.
More Silicon Valley companies will take action against zero-day brokers
Shortly after we released last year’s predictions, Microsoft, Google, Cisco and Dell joined Facebook in their legal battle against NSO. The legal actions are still ongoing, and as far as we know, no additional lawsuits have started against other zero-day or intrusion software vendors.
In short, our prediction immediately turned out to be true, but it is possible that Silicon Valley is waiting for the results of this first trial before going after other brokers. On November 3, however, the US Department of Commerce sent a very strong signal to the zero-day market by adding several companies (NSO, Positive Technologies, COSEINC, Candiru) to the Entity List for activities contrary to the US’s national security, due to the “traffic in cyber tools”. It is unclear at this juncture what impact this will have on the ongoing proceedings.
Increased targeting of network appliances
When we wrote this prediction, we were mainly thinking about a continuation of all the malicious activities targeting VPN appliances. As mentioned in the first section of this article, the most prominent software vulnerabilities ended up affecting different programs instead (such as Microsoft Exchange). We nevertheless observed some threat actors, such as APT10, who were exploiting these vulnerabilities to hijack VPN sessions.
But this prediction also came true another way. A very interesting campaign orchestrated by APT31 surfaced in 2021. In it, the threat actor leveraged a network of infected SOHO routers (specifically, Pakedge RK1, RE1 and RE2 models) and used it as an anonymization network and to host C2s.
The emergence of 5G vulnerabilities
2020 was a year of heightened tensions around the development of the 5G technology. We expected that they would get worse, and that one of the ways they would manifest in 2021 was through the discovery and release of vulnerabilities in products related to 5G, or maybe even in the protocol itself. The dispute seems to have been confined mostly to the legal arena, but there was still some interesting research, identifying security issues that could allow attackers to extract credentials or location information.
Demanding money ‘with menaces’
‘Enhanced’ ransomware tactics that have been in place since 2019 have proven effective enough to become an integral part of the criminal playbook. However, judging by the various arrests made and joint declarations from numerous law enforcement agencies and officials, it’s clear that the response to the ransomware problem is becoming more organized. In October, the US government conducted offensive operations to disrupt REvil’s activities.
This mounting pressure and the existential threat that it poses is reflected in current trends in the ransomware ecosystem. Blackmail tactics involving stolen data are tried and tested, and likely not the current focus of criminal groups.
More disruptive attacks
This prediction proved to be accurate. One of the most iconic cyber-events of 2021 was the ransomware attack on Colonial Pipeline. In the course of the attack, the equipment managing the pipeline was affected, which in turn caused significant supply issues in the United States. This infrastructure was so critical that the victim felt forced to pay a $4.4 million ransom, though fortunately $2.3 million was recovered by the US Department of Justice.
In July 2021, a never-before-seen wiper (Meteor) paralyzed the Iranian railway system. To add insult to injury, stranded users were invited to direct their complaints by phone to local authorities, likely affecting the quality of service of another government function. Later, in October, a similar attack affected all gas stations in the country. No group claimed responsibility for either of these attacks.
Attackers will continue to exploit the pandemic
During 2020, we saw multiple APT groups targeting academic institutions and research centers involved in the development of COVID-19 vaccines. This included DarkHotel and APT29 (aka CozyDuke and CozyBear) with their WellMess malware (as attributed by the UK NCSC (National Cyber Security Centre). This year, we saw several APT groups attempting to use COVID-19 lures in their targeting, such as ScarCruft, LuminousMoth, EdwardsPhesant, BountyGlad, Kimsuky and ReconHellcat. An interesting cluster of activity we tracked, and were able later to attribute to an actor publicly known as SideCopy, targeted diplomatic and governmental organizations in Asia and the Middle East using COVID-19-related lures along with compromised websites hosting malicious HTA and JS files. There are multiple aspects of the campaign, including execution chain, malware used, infrastructure overlaps, PDB paths and other TTPs, that remind us of other groups operating in the same region, such as SideWinder, OrigamiElephant, Gorgon group or Transparent Tribe. Yet, none of the similitudes found were strong enough to attribute this set of activity to known actors.
And now, we turn our attention to the future. Here are the developments we think we could be seeing in 2022.
Private sector supporting an influx of new APT players
This year, the use of surveillance software developed by private vendors has come under the spotlight, as discussed above. Given how potentially profitable this business is, and the impact the software can have on those targeted, we believe that vendors of such software will play a greater role, at least until governments seek to regulate its use. There are some signs of this happening already. In October 2021, the US Commerce Department’s Bureau of Industry and Security (BIS) introduced an interim final rule that defines when an export license will be required for commercial surveillance software: the aim is to prevent the distribution of surveillance tools to countries subject to arms controls, while allowing legitimate security research and transactions to continue.
Meanwhile, malware vendors and the offensive security industry will aim to support old but also new players in their operations.
Mobile devices exposed to wide attacks
Malware targeting mobile devices has been in the news on and off for over a decade. This has been strongly correlated with the popularity of dominant operating systems. To date, the two most popular operating systems for mobile devices are iOS and Android (plus other Android/Linux-based clones). From the very outset, they have had very different philosophies – while iOS relied on a closed App Store that only allows vetted applications, Android has been more open and allowed users to install third-party apps directly onto devices. This has resulted in big differences in the type of malware targeting the two platforms; while Android-based terminals are plagued by a lot of cybercriminal malware (albeit not free from APT attacks), iOS is mostly in the crosshairs of advanced nation-state sponsored cyberespionage. In 2021, the Pegasus Project brought a new dimension to the otherwise obscure world of iOS zero-click zero-day attacks; and more iOS zero-days have been reported in the wild than in any other year.
From the point of view of the attackers, mobile devices are ideal targets – they travel almost everywhere with their owners, contain details about their private lives and the infections are very difficult to prevent or detect. Unlike PCs or Mac’s, where the user has the choice of installing a security suite, such products are either crippled or non-existent on iOS. This creates an extraordinary opportunity for APTs, one that no state-sponsored adversary will want to miss. In 2022, we will see more sophisticated attacks against mobile devices getting exposed and closed, accompanied by the inevitable denial from the perpetrators.
More supply chain attacks
We’ve seen some notable supply chain attacks this year. We have discussed the adoption of this approach by APT threat actors above. But we’ve also seen cybercriminals take advantage of weaknesses in the security of suppliers in order to compromise customers of the compromised company. Striking examples include the attack on a US oil pipeline system in May, the attack on a global meat producer in June and the targeting of MSPs (Managed Service Providers) and their clients in July. Such attacks represent a violation of trust somewhere in the supply chain; and they are particularly valuable for attackers because they provide a stepping-stone into many other targets in one fell swoop. For this reason, supply chain attacks will be a growing trend into 2022 and beyond.
Continued exploitation of WFH
Notwithstanding the relaxation of pandemic lockdown rules in various parts of the world, many employees continue to work from home; and are likely to do so for the foreseeable future. This will continue to provide opportunities for attackers to compromise corporate networks. This includes the use of social engineering to obtain credentials and brute-force attacks on corporate services, in the hope of finding poorly protected servers. In addition, as many people continue to use their own equipment, rather than devices locked down by corporate IT teams, attackers will look for new opportunities to exploit home computers that are unprotected or unpatched, as an entry vector to corporate networks.
The main driver of this will be increasing geo-political tension across the board influencing an increase in espionage-based cyber-offensive activities. Geo-politics has been historically the primary contributing factor – among other factors such as economics, technology and foreign affairs – to influence cyber-intrusions with the objective of stealing sensitive data for national security purposes. Despite the current pandemic situation affecting the globe, geo-political tension has significantly increased in the Middle East and Turkey since at least January 2020 and will likely continue to do so.
Africa has become the fastest urbanizing region and attracts millions of dollars in investments. At the same time, many countries on the continent are in a strategic position when it comes to maritime trade. This and the continuous improvement of defensive capabilities in this region lead us to believe 2022 will feature major APT attacks in the META region, especially Africa.
Explosion of attacks against cloud security and outsourced services
More and more companies are incorporating cloud computing in their business models due to the convenience and scalability they offer. The devops movement has led many companies to adopt software architectures based on microservices and running on third-party infrastructure – infrastructure that’s usually only one password or API key away from being taken over.
This recent paradigm has security implications that developers may not fully comprehend, where defenders have little visibility and that APTs haven’t really investigated thus far. We believe the latter will be the first to catch up.
In a broader sense, this prediction concerns outsourced services such as online document editing, file storage, email hosting, etc. Third-party cloud providers now concentrate enough data to attract the attention of state actors and will emerge as primary targets in sophisticated attacks.
The return of low-level attacks: bootkits are ‘hot’ again
Low-level implants are often shunned by attackers due to their inherent risk of causing system failures and the sophistication it requires to create them. Reports published by Kaspersky throughout 2021 indicate that offensive research on bootkits is alive and well: either the stealth gains now outweigh the risks, or low-level development has become more accessible. We expect to discover more advanced implants of this kind in 2022. In addition, as Secure Boot becomes more prevalent, attackers will need to find exploits or vulnerabilities in this security mechanism to bypass it and keep deploying their tools.
States clarify their acceptable cyber-offense practices
In the last decade, the whole industry observed a trend where cyberspace is becoming more and more politicized, especially when it comes to cyberwarfare. Last year, we predicted that legal indictments would become an integral part of Western states’ arsenals to impose cost on adversary operations.
An issue, however, is that states denouncing cyberattacks against them are at the same time known for conducting their own. For their protests to gain weight, they will need to create a distinction between the cyberattacks that are acceptable and those that are not. In 2022, we think some countries will publish their taxonomy of cyber-offense, precisely detailing which types of attack vector (for example, supply chain) and behavior (for example, destructive, affecting civilian infrastructure, etc.) are off-limits.