Bigger threat actors and Russian-speaking groups remain quiet to start the year
Woburn, MA – April 30, 2019 –Kaspersky Lab is releasing its quarterly threat intelligence summary, which reveals that in the first three months of 2019, researchers observed an active landscape of advanced threat operations that was centered mainly on South East Asia. This activity was increasingly influenced by geopolitics, and featured cryptocurrency and commercial spyware attacks as well as a major supply-chain campaign.
The quarterly APT trends summary is drawn from Kaspersky Lab’s private threat intelligence research and other sources. This report reviews the main developments in the threat landscape that researchers believe are important to highlight to the public.
In the first quarter of 2019, Kaspersky Lab researchers observed a number of interesting new APT developments. The defining threat campaign reported during the quarter was operation ShadowHammer: an advanced, targeted campaign which used the supply-chain for distribution on an incredibly wide scale, combined with carefully implemented techniques for the precision targeting of intended victims.
Additional highlights of APT activity in Q1 2019 include:
- Geopolitics featured as a key driver of APT activity, often with a clear correlation observed between political developments and targeted malicious activity.
- South East Asia remained the most frenetically active region of the world in terms of APT activity, with more groups, more noise, and more sets of activity targeting the region than anywhere else.
- Russian-speaking groups kept a low profile in comparison with recent years. This could be due to an element of internal restructuring, although there remained a steady drumbeat of activity and malware distribution by Sofacy and Turla.
- Chinese-speaking actors continued to maintain a high level of activity, combining both low and high sophistication, depending on the campaign. For example, the group known to Kaspersky Lab as CactusPete, active since 2012, was observed in Q1 with new and updated tools, including new variants of downloaders and backdoors and an appropriated and then repackaged VBScript zero-day belonging to the DarkHotel group.
- Providers of “commercial” malware available to governments and other entities seem to be thriving. Researchers observed a new variant of FinSpy in the wild, as well as a LuckyMouse operation deploying leaked HackingTeam tools.
“Looking back at what has happened during a quarter is always a surprising experience,” said Vicente Diaz, principal security researcher, Global Research and Analysis Team, Kaspersky Lab. “Even when we have the feeling that nothing ‘groundbreaking’ has occurred, we uncover a threat landscape that is full of interesting stories and evolution on different fronts – including, in Q1, sophisticated supply chain attacks, attacks on cryptocurrency and geopolitical drivers. We know that our visibility is not complete, and there will be activity that we do not yet see or understand, so just because a region or sector doesn’t appear on our threat intelligence radar today doesn’t mean it won’t in the future. Protection against both known and unknown threats remains vital for everyone.”
The APT trends report for Q1 summarizes the findings of Kaspersky Lab’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest Threat Intelligence, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills, for example through the Kaspersky Automated Security Awareness Platform.
The complete APT trends report for Q1 2019 can be found on Securelist.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.
Media Contact
Meghan Rimol
781.503.2671
meghan.rimol@kaspersky.com
