Why Should You Care About APTs and Nation-State Attacks?

We often think of advanced persistent threats or APTs as threats primarily targeting governments for cyber espionage, but they could have just as much impact on the private sector. Oftentimes, both the techniques and the tooling used overlap between APTs and financially-motivated cybercriminals, and some APT groups themselves have taken to moonlighting as cybercriminals for profit. 

Indeed, ongoing research has shown that various North Korean APTs have been funding their country’s nuclear program and espionage activities with stolen cryptocurrency, while Russian APTs have been using Russian-speaking ransomware and hacktivist groups as proxies to further their causes. Nation-states also often outsource cyber espionage efforts to groups that are hard to identify as purely APTs or financially motivated. These third parties use well-known attack vectors so that nation states can keep expensive, hard to discover vulnerabilities to themselves.

APT groups can operate with multiple objectives, highlighting the complex nature of their motivations and actions in the cyber landscape. For example, China's APT41 and Russia’s Sandworm APT have both targeted public and private organizations, including industries ranging from finance and high-tech to energy and telecommunications. 

It's essential to recognize that APTs and organized cybercrime use similar techniques in their attack process. Whether it's financially motivated threat actors targeting a victim’s bank account or APT groups conducting reconnaissance to enable further operations, many attacks start by targeting mobile devices due to a common lack of protection and the relative ease of social engineering efforts. By understanding the expanding reach of APT activities you can help reduce the risks they pose to your organization.

‍

What are APTs and nation-state actors and how do they impact enterprises?

APTs and nation-state actors are sophisticated cyber hacking groups that are often controlled or sponsored by nation states. They typically employ various techniques such as custom malware, social engineering, zero- or n-day exploits and more for cyber espionage purposes. Their objectives range from gaining unauthorized access to an organization's network, stealing valuable intelligence or intellectual property, injecting malicious code into a company's product, to conducting targeted surveillance on individuals. However, there have also been instances where APTs have targeted organizations for financial gain.

Examples of nation-state actors that have impacted enterprises

China’s APT41

Members of APT41, also known as Double Dragon, BARIUM, and Winnti, a state-sponsored espionage group based in the People’s Republic of China, were indicted in 2020 by the U.S. government for compromising over 100 organizations and individuals across the public and private sectors. In the following years, APT41 continued to conduct financially-motivated attacks, such as stealing $20 million in COVID relief benefits from U.S. state governments.

In July 2023, Lookout Threat Lab researchers made publicly available their Threat Advisory Service analysis of two mobile malware families associated with the group, called WyrmSpy and DragonEgg, shedding light on their mobile capabilities.

Russia’s Sandworm APT

Sandworm is a state-sponsored cyber espionage group with ties to the Russian Ministry of Defense’s Main Intelligence Directorate (GRU), Main Center for Special Technologies (GTsST). They are known for targeting traditional desktop environments, although the group recently used a collection of surveillance tooling known as Infamous Chisel to target Android mobile devices for military espionage purposes.

In September 2023, Lookout released an in-depth analysis of Deblind, the Android app component of Infamous Chisel, with details that have not been previously revealed publicly.

One of the APT’s most infamous campaigns was the 2017 NotPetya ransomware attack, which compromised over 2,300 public and private organizations and cost $10 billion in damages. In 2020, six Russian GRU officers were indicted and charged for these and other cyberattacks by a U.S. federal grand jury. 

‍

Implications of APT attacks on the private sector

Economic impact

APT attacks can manifest in various forms, including theft of sensitive data, disruption of operations, and intellectual property theft. Private enterprises are often targets of nation-state actors because they have data that foreign entities often desire, this could include valuable trade secrets or business operation plans.

Reputational damage

Reputational damage is a major consequence of successful APT attacks, as it can significantly impact an organization's standing. Many organizations are specifically targeted for the data they possess on customers and users of their services, such as a hotel being compromised to gather information on targets who may be staying there. Such attacks can erode customer trust and damage relationships, resulting in lost business opportunities.

Supply chain risks

Supply chain attacks exploit vulnerabilities within the supply chain to facilitate further attacks, targeting systems and compromising customer trust. The compromise of a third party within the supply chain can have far-reaching consequences, impacting multiple organizations connected to the chain.

Regulatory compliance

Inadequate protection of sensitive data can lead to legal consequences and regulatory penalties. Non-compliance with regulations related to data privacy and security exposes organizations to financial liabilities and reputational damage.

‍

How can enterprises safeguard against APT mobile campaigns?

Mobile devices often lack the same level of security controls as traditional endpoints, making them increasingly vulnerable targets for APT attacks. As seen in APT41’s WyrmSpy and DragonEgg deployment, mobile devices enable threat actors to gain sophisticated surveillance capabilities and access to sensitive data.

To ensure your security operations aren’t blind to mobile-specific attacks, you need an intelligence-driven defense that combines both the ability to threat hunt within your corporate environment and consistent and up-to-date threat intelligence on the evolving landscape.

Organizations often have those capabilities for traditional endpoints, but we are seeing mobile devices being leveraged as an initial access vector more frequently in recent attacks. This is partially due to their increased role as a source of user identity authentication. Mobile devices are also increasingly leveraged to access valuable data, including those with compliance requirements. 

To ensure that mobile is covered as part of your intelligence-driven defense, here are some steps you should consider:

• Include mobile within your threat intelligence: By gathering and analyzing threat intelligence that is specific to mobile threats, including indicators of compromise (IOCs) and emerging attack techniques, organizations can identify patterns, assess risk levels, and prioritize their security efforts. Lookout researchers commonly observe overlapping mobile and desktop attacks when analyzing APT campaigns, which highlights how crucial it is to understand both vectors. 
• Implement proactive mobile defense measures: Use the insights gained from mobile threat intelligence and analysis to proactively implement security controls and countermeasures for mobile devices. This can involve deploying mobile-specific detection and response systems that include mobile-specific user and device analytics, security orchestration playbooks and adopting mobile into their risk management methodologies.
• Incorporate mobile into incident response: Intelligence-driven defense allows security teams to understand the nature of a mobile attack, trace its origin, and take appropriate actions to minimize the impact and prevent future occurrences on mobile platforms. By incorporating mobile threat intelligence, incident response efforts can help validate or refute attack origins. This includes having mobile endpoint and response (EDR) capabilities so your security teams can minimize or mitigate attacks from APT groups who may leverage mobile in their TTPs.
• Information sharing and collaboration: Engage in proactive information sharing and collaboration with other organizations, industry partners, and government agencies to strengthen collective defense against mobile threats. By exchanging mobile threat intelligence, organizations can enhance their ability to detect advanced attacks, proactively defend against mobile threats, and respond effectively during security incidents.

‍

Strengthening defenses against APT attacks in today's threat landscape

Safeguarding your organization against APT attacks and their mobile campaigns is vital in today's threat landscape. APT attacks, including those orchestrated by groups like China’s APT41 or Russia’s Sandworm APT, illustrate that they are ready to attack other nations and private companies.

Mobile devices are increasingly being leveraged by both APTs and financially-motivated threat actors. It’s no longer enough to have coverage of traditional endpoints and threat vectors. 

If you have any questions about APTs or how to defend against mobile threats, feel free to reach out to us.

‍