Woburn, MA -- November 9, 2023 -- Kaspersky has published a large study of Asian APTs’ Tactics, Techniques, and Procedures (TTPs), providing comprehensive information resulting from investigations of five major APT campaigns. The study is publicly available and is designed to enhance the security community’s understanding of the way contemporary APT groups operate. It also offers advice on defense mechanisms against these attackers.
Kaspersky experts analyzed around one hundred incidents that transpired across different regions worldwide, starting from 2022. The team utilized the Unified Kill Chain methodology to conduct a comprehensive study of the attackers' actions, basing their findings on the TTPs employed by the analyzed groups. Within the report, experts provide insights into five specific incidents that occurred in Russia and Belarus, Indonesia, Malaysia, Argentina, and Pakistan.
To ensure it is globally accessible and can be understood by researchers and security specialists, this study leans heavily on internationally known threat analysis tools, practices, and methodologies, such as MITRE ATT&CK, F3EAD, David Bianco's Pyramid of Pain, Intelligence Driven Incident Response, and the Unified Cyber Kill Chain.
The research reveals that, despite numerous attacks, the range of techniques encountered remains limited, allowing researchers to delve more deeply into their analysis. Here are some of the key findings:
· Asian APTs exhibit no regional bias in target selection. Their victims span the globe, posing a challenge to anyone attempting to identify which region is most frequently targeted. This implies attackers employ consistent tactics across the world, demonstrating their ability to employ a uniform arsenal against various victims.
· An important trait of these attackers is their adept use of a combination of techniques. They employ the “Create or Modify System Process: Windows technique Service T1543.003,” which enables them to escalate privileges. They also use “Hijack Execution Flow: DLL Side-Loading T1574.002,” a tactic commonly employed to evade detection. This strategic combination appears to be a distinctive hallmark of Asian cyber groups.
· The main focus of these Asian groups is cyber espionage, as evidenced by their efforts to gather sensitive information and funnel it to legitimate cloud services or external channels. Although it is uncommon, there are instances where these groups deviate from this pattern, as seen in one of the examined incidents which involved the use of ransomware in the attack.
· The most targeted industries include government, industrial, healthcare, IT, agriculture, and energy.
The systematization of various TTPs used by attackers has led to the development of a specific set of meticulously crafted SIGMA rules, aiding security specialists in detecting potential attacks within their infrastructure.
“In the world of cybersecurity, knowledge is the key to resilience,” said Nikita Nazarov, head of threat exploration at Kaspersky. “Through this report, we aim to empower security specialists with the insights they need to stay ahead of the game and safeguard against potential threats. We urge the entire cybersecurity community to join us in this knowledge-sharing mission for a stronger and more secure digital landscape."
Kaspersky researchers continuously discover new tools, techniques, and campaigns launched by APT groups in cyberattacks around the world. The company’s experts monitor over 900 operations and groups, with 90% being related to espionage. They actively share their latest findings and exclusive insights through The Kaspersky Threat Intelligence Portal—a centralized hub for the company's Threat Intelligence.
The full report, titled “Modern Asian APT groups: tactics, techniques and procedures,” is available on Securelist.com.
To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
· Regularly update your operating system, applications, and antivirus software to patch any known vulnerabilities.
· Be cautious of emails, messages, or calls asking for sensitive information. Verify the sender’s identity before sharing any personal details or clicking on suspicious links.
· Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
· Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
· For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.