Not everyone is a target for cyberespionage. That’s the premise on which many businesses built their threat models and cyber-defense capabilities. Unfortunately, that’s rapidly changing. Hacker-for-hire groups that sell their services to private entities are popping up on the radar of security companies and creating a blindspot for many organizations that are not prepared to deal with advanced persistent threats (APTs).
Last week, security firms Kaspersky Lab and Bitdefender independently released reports about two such mercenary groups. One was seen targeting law firms and companies in the financial sector, while the other targets architectural and video production companies. These are just the latest examples in a series of similar reports over the past couple of years.
“We’ve recently seen a trend in which the tactics and techniques used in the past by state-sponsored APT groups have now been used in attacks on smaller companies,” Liviu Arsene, global cybersecurity researcher with Bitdefender, tells CSO. “This potentially points to a new APT-as-a-service model that sophisticated threat actor groups could be offering. Just as the transition to malware-as-a-service marked a new chapter in the cybercrime industry, APT-as-a-service where mercenary hackers that may have sharpened their skills either in state-sponsored attacks or as part of other larger APT groups, could become the new norm.”
DeathStalker and common scripting languages
Kaspersky’s report focuses on the recent activities of a mercenary group the company dubbed DeathStalker, whose tools bear some close similarities to other malware implants going as far back as 2012. The group was recently seen targeting entities that work in or with the financial sector including law offices, wealth consultancy firms and financial technology companies. Victims were identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.
DeathStalker’s current implant is called Powersing and is written in PowerShell, an often-abused scripting language that’s included with Windows and is used to automate system administration tasks. The malware is delivered via spear-phishing emails with attached archives that contain a malicious LNK file. The Powersing payload is notable for reaching out to various “dead drops” on social media websites and getting the URL of the command-and-control (C&C) server from comments with encoded text left by the authors. Sites used for the dead drops include Google+, Imgur, Reddit, Tumblr, Twitter, YouTube and WordPress.
Powersing periodically contacts the C&C server for commands and has two functionalities: capture periodic screenshots from the victim’s machine and send them to the C&C server, and execute arbitrary Powershell scripts provided by the C&C. These two simple features give attackers a lot of power. One allows them to perform reconnaissance on the victim and the second to extend the compromise through manual hacking.
Kaspersky Lab has identified similarities in the method of distribution — LNK files — as well as use of dead drops and even some code similarities with two other malware families seen in the past called Janicab and Evilnum, which are written in different scripting languages, VBE and JavaScript. Kaspersky’s researchers say that none of the similarities offer definitive proof, but they believe with medium confidence that Powersing, Evilnum and Janicab are operated by the same group.
Based on the type of victims and information the hackers are after, Kaspersky Lab believes DeathStalker is a group of mercenaries that offers hacking-for-hire services for private customers or which acts itself as an information broker in financial circles selling the data it captures.
“We believe that DeathStalkers chooses its targets purely based on their perceived value, or perhaps following customer requests,” Kaspersky said in its report. “In this context, we assess that any company in the financial sector could catch DeathStalker’s attention, no matter its geographic location.”
Mercenary group uses targeted attack vector
In its recent report, Bitdefender documented a recent APT-style attack against a company with offices around the world that is engaged in architectural projects with real-estate developers in New York, London, Australia and Oman. Its customers also include high-profile architects and world-renowned interior designers.
What’s noteworthy about the group tracked by Bitdefender is that the hackers delivered their malware implant as a rogue plugin for Autodesk 3DS Max, a popular program for 3D animation and modelling. This suggests the group knew exactly who its target was, what data they were after, and what software they could exploit to get in.
“During the investigation, Bitdefender researchers also found that threat actors had an entire toolset featuring powerful spying capabilities,” the company said. “Based on Bitdefender’s telemetry, we also found other similar malware samples communicating with the same command and control server, dating back to just under a month ago. Located in South Korea, United States, Japan and South Africa. It’s likely the cybercriminal group might have also been targeting select victims in these regions as well.”
In June, Bitdefender released a report about another suspected mercenary group dubbed StrongPity that has the traits of a mercenary cybercriminal group with both financial and geo-political objectives. Another older APT group known as Barium or Winnti that was responsible for a string of supply-chain attacks involving popular software has also shown both a cyberespionage and a financial interest in the past through its operations and victimology.
Is APT for hire a new trend?
There have always been hackers-for-hire in the internet’s underworld. There is even evidence that nation-states like China and Russia recruit hackers from cybercrime circles for their intelligence operations. Those hackers then learn sophisticated APT-style techniques, tactics and procedures (TTPs) that can then be used in their criminal activities as well. Or they can set up mercenary groups and sell their skills to private entities who want to spy on their competitors or manipulate the financial markets.
Some groups are even funded, trained and supported by nation-states that sell hacking services to third-party customers. This is the case of North Korea. In April, the US Departments of State, Treasury, Homeland Security and the FBI issued a joint advisory on North Korean cyber threats which mentioned that “DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients.”
“I find it a fascinating story that’s a really important reminder of how much more complex the cyber threat landscape is, and I don’t think the current discourse in the newspapers or by policy makers is taking that into account,” says Tim Maurer, author of the book Cyber Mercenaries: The State, Hackers, and Power and co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, a foreign-policy think tank. “I think very few people are actually fully aware of those different types of dimensions. North Korea has to make a lot of money, and therefore they’re behaving in a unique way. But it also raises some interesting questions of how the proliferation of cyber capabilities may be driven internationally because of that behavior.”
According to Maurer, these different hats that some hackers or hacker groups might have, government agents and hacker-for-hire on the side, make it hard for organizations to know what the actual intent of the attackers were when they are hacked and what might happen to the stolen data or how it might be used.
The growing number of mercenary groups that offer hacker-for-hire services is also part of another big trend that has been driven by the commoditization and public release of APT-style techniques and tools over the past few years. Many cybercriminal groups and ransomware gangs use manual hacking and fileless execution techniques, abuse scripting languages and dual-use tools that are also used by system administrators or IT security professionals, engage in months-long reconnaissance and lateral movement operations inside networks, develop customized payloads for each victim, and more.
Even small- and medium-sized companies at risk for APTs
So can any organization, big or small, regardless of industry, afford not to have APTs in their threat models? The answer is increasingly becoming “no,” and that raises a serious problem for small- and medium-sized organizations in particular because they don’t have the security products, budgets or skilled staff required to detect and respond to such attacks.
“Small- and medium-sized businesses will have to completely overhaul their threat model, build new security strategies, and readjust their security budgets,” Bitdefender’s Arsene tells CSO. “If in the past most APT-level breaches on SMBs were part of supply-chain attacks, APT mercenaries offering their services to the highest bidder could practically mean open season for small- and medium-sized companies.”
“I do think for most organizations it makes sense to migrate to the cloud, because then they are better protected, as the security teams of cloud service providers are able to more effectively detect and protect against APTs,” Maurer tells CSO. “If you are a small company and you may have just one person who is busy just trying to keep up with the latest patches, you don’t have the bandwidth to be effectively protected against more advanced threats. I don’t think that will end anytime soon. Over the last decade alone the number of nation-state actors with offensive cyber capabilities has grown from half a dozen countries to now over 30 countries. The proliferation of knowledge and capabilities continues to outpace how countries [and organizations] can effectively protect themselves.”
Maurer also feels that cloud providers have a reputational interest to continuously invest in good security and keep their customers protected, because any news story about the breach of one of their customer’s cloud assets will also mention the cloud provider’s name, whether they were responsible or not. That said, most cloud breaches occur because of insecure configurations and the responsibility for that sits ultimately with the user of the platform. While migrating to the cloud might alleviate the network monitoring burdens for some organizations, they still need to ensure that their cloud servers and assets are securely configured.
Other options, according to Arsene, are endpoint detection and response (EDR) and managed detection and response (MDR) solutions, which have become affordable even for SMBs and can offer a level of security that was previously only available to enterprises who built their own security operations centers.
“The biggest challenge for small businesses, especially in highly competitive and financially driven verticals, is both the lack of qualified security and IT personnel as well as the lack of security tools capable of spotting suspicious behavior,” Arsene tells CSO. “Small- and medium-sized companies should be focusing on augmenting their security stack with more than just malware-detecting security software, but with visibility tools both at the endpoint and network layers. The lack of qualified security personnel could be addressed by turning to managed detection and response teams that both assess the company’s infrastructure and propose security and hardening tools, but also act as specialized security hunting teams that perform threat hunting on suspicious events.
Copyright © 2020 IDG Communications, Inc.