The APTocalypse: Who’s Who in the World of Cyber Threats

If you think cyber threats are only a problem for big corporations or governments, think again. There are many groups of hackers out there who are constantly looking for ways to steal your data, disrupt your operations, or even sabotage your infrastructure. These groups are known as advanced persistent threat (APT) actors, and they have different motives, methods, and targets.

In this article, we will introduce you to some of the latest and most notorious APT actors and their tactics, techniques, and procedures (TTPs). We will also give you some tips on how to defend yourself against them. But be warned: this is not a bedtime story. This is a horror story with real villains and real victims. And it could happen to you.

Let’s start with Lazarus³, one of the most active and dangerous APT actors in the world. Lazarus is believed to be linked to North Korea, and has been behind some of the most destructive cyberattacks in history, such as the Sony Pictures hack in 2014 and the WannaCry ransomware outbreak in 2017. Lazarus has also been targeting defense companies and cryptocurrency firms with sophisticated malware and supply chain attacks³. Their TTPs include spearphishing emails with malicious attachments or links, exploiting vulnerabilities in web servers or applications, using legitimate tools for lateral movement and persistence, and deploying custom backdoors or ransomware.

How to defend against Lazarus:

  • Keep your systems updated with the latest patches and security updates.
  • Use antivirus software and firewall to block malicious traffic and detect malware.
  • Educate your employees on how to spot phishing emails and avoid clicking on suspicious links or attachments.
  • Monitor your network activity for any signs of compromise or anomalous behavior.

Next up is NOBELIUM², also known as APT29 or Cozy Bear. NOBELIUM is a Russian-backed APT actor that has been conducting cyber espionage campaigns against various government entities, think tanks, NGOs, IT companies, and other organizations around the world. NOBELIUM was behind the infamous SolarWinds hack in 2020 that compromised thousands of organizations through a tainted software update. NOBELIUM’s TTPs include compromising trusted third-party vendors or suppliers (supply chain attacks), using stolen credentials or password spraying to access accounts (credential harvesting), creating fake domains or websites to impersonate legitimate ones (domain spoofing), using encrypted channels or proxies to evade detection (network obfuscation), and deploying stealthy backdoors or implants for data exfiltration.

How to defend against NOBELIUM:

  • Verify the integrity of any software updates before installing them on your systems.
  • Use strong passwords and multifactor authentication for your accounts.
  • Check the sender’s address and domain name carefully before opening any emails or visiting any websites.
  • Use encryption tools such as VPNs or Tor browsers to protect your online communications.
  • Use threat intelligence services such as ESET Threat Intelligence²to stay informed about NOBELIUM’s activities.

Another APT actor that deserves your attention is MuddyWater², also known as Seedworm or TEMP.Zagros. MuddyWater is an Iran-aligned APT actor that has been targeting government agencies, telecom companies, media outlets,and other organizations across Asia,the Middle East,and Europe.MuddyWater has also been involved in compromising a managed security provider(MSP)and using its access to target its customers.MuddyWater’s TTPs include sending spearphishing emails with malicious macros,powerShell scripts,batch files,and shortcuts;using open-source tools such as Mimikatz,Cobalt Strike,and PowerSploit;using living-off-the-land techniques such as WMI,RDP,and scheduled tasks;and using custom malware such as PowGoop,PowRuner,and PowMuddy.

How to defend against MuddyWater:

  • Disable macros by default on your office applications and do not enable them unless necessary
  • Restrict PowerShell execution policies and enable logging and auditing features
  • Implement least privilege policies and network segmentation to limit lateral movement and privilege escalation
  • Use endpoint detection and response(EDR)solutions such as ESET PROTECT Cloud²to identify and respond to MuddyWater’s attacks

Last but not least, let us introduce you to SturgeonPhisher², a new APT actor that was discovered by ESET researchers recently.SturgeonPhisher is a cyberespionage group that targets high-profile government entities in Central Asia. SturgeonPhisher uses spearphishing emails with malicious documents that exploit a vulnerability in Microsoft Equation Editor (CVE-2017-11882) to deliver a custom backdoor called SturgeonDoor. SturgeonDoor can execute commands, upload and download files, take screenshots, and communicate with a command-and-control server. SturgeonPhisher’s TTPs also include using legitimate tools such as WinRAR and 7-Zip for compression and encryption, using steganography to hide data in images, and using domain generation algorithms to create dynamic domains.

How to defend against SturgeonPhisher:

  • Apply security patches for known vulnerabilities on your systems.
  • Use email security solutions such as ESET Mail Security to filter out malicious emails and attachments.
  • Use application control or whitelisting solutions to prevent unauthorized programs from running on your systems.
  • Use network security solutions such as ESET Network Attack Protection to block malicious traffic and domains.

We hope you enjoyed this article and learned something new about the latest threat actors and APT groups. Remember: cyber threats are no joke (except when they are). Stay safe out there!

(1) Advanced persistent threat actor Lazarus attacks defense … – Kaspersky.

(2) ESET APT Activity Report T3 2022 | WeLiveSecurity.

(3) Groups | MITRE ATT&CK®.

(4) APT & Threat Actor Lists. Companies use different names for the… | by ….

(5) Exchange servers under siege from at least 10 APT groups.







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: