Collateral damage from APTs

How APTs compromise the privacy and security of average citizens that they do not target directly.

How APTs compromise the privacy and security of average citizens that they do not target directly

Folks usually relate to APTs about the same way we relate to espionage in general: It’s certainly a big deal, but it won’t hit us mere mortals, right? Most of us don’t carry any significant industrial or government secrets on our phones and don’t work with classified information on our computers, so why would we be of interest to them?

Well, folks are mostly right. It’s very unusual for the average person to be targeted by a nation-state–sponsored actor, but we can still be collateral damage. Daniel Creus of Kaspersky’s Global Research and Analysis Team (GReAT) spoke on that topic recently in Barcelona. This post quickly recaps it and describes the three ways ordinary people can run afoul of an APT attack.

Collateral damage scenario #1: The wrong website at the wrong time

In comparison with smaller actors, APTs have enough money for a bunch of zero-day exploits, including the ones that make remote watering hole attacks possible. Research by Google Project Zero in 2019 revealed that one actor used as many as 14 different vulnerabilities in 5 different exploit chains to infect their targets with spyware.

Some of these vulnerabilities were used to remotely infect iOS users who visited specific politics-related websites. They ended up with spyware on their phones. The thing is, the actor did not distinguish among website visitors, meaning that all iOS users who visited the site got infected, regardless of whether they were of any interest to the actor.

And that was hardly the only APT attack that involved a watering hole. For example, one of the attack vectors of the infamous NotPetya (aka ExPetr) started with the infection of a government website. When users visited the website, malware was downloaded and executed on their computers. You may remember that NotPetya had tremendous collateral damage.

So, one of the problems with APTs is that threat actors may have no interest in targeting you in particular, but if you happen to visit the wrong website or download the wrong app, you will get infected nevertheless, and the private information from your device will be exposed to them — or damaged, in APT-related ransomware cases such as NotPetya.

Collateral damage scenario #2: Serious toys in cybercriminals’ hands

Among other things, APTs often seek the secrets of other APTs. They tend to hack each other and sometimes leak the tools that their foes use. Other, smaller and less advanced actors pick them up and use them to create malware, which sometimes gets out of control. Remember, the infamous WannaCry wiper was created using EternalBlue, one of the exploits leaked by ShadowBrokers when they decided to publish the Equation Group’s arsenal of cyberweapons.

More threats, including NotPetya/ExPetr, Bad Rabbit, EternalRocks, and others, relied on the EternalBlue exploit as well. One leaked exploit resulted in a series of several huge epidemics and many smaller events that together affected hundreds of thousands of computers and disrupted the work of numerous businesses and government agencies around the world.

In summary, the second problem ordinary people face with APTs is that threat actors create really dangerous tools and sometimes fail to contain them. As a result, these dangerous things can end up in the hands of cybercriminals — of varying degrees of competence — who don’t hesitate to use them, sometimes affecting lots of innocent people.

Collateral damage scenario #3: Leak of collected data

As we mentioned above, the actors behind APTs have a tendency to hack each other. Sometimes they publish not only the tools they loot, but also any information their foes harvested using those tools. For example, that’s how the data harvested by the infamous cyberespionage tool ZooPark became publicly available.

In the past two years, as many as 13 stalkerware vendors either were hacked or left the information they collected exposed online, on an unprotected, publicly available Web server. Leaks afflict more serious actors as well; the creators of the notorious FinFisher were hacked, and the even more notorious Hacking Team, which used to develop surveillance tools, has also been hacked.

So, there’s the third problem: Even if an APT has nothing to do with average users, even if it just stockpiles their information without using it against them, if that APT leaks data, smaller fish will gladly feed on that information to extort or to search for private data — from credit card numbers and document scans all the way to contact info and compromising photos.

How to stay safe from APTs

Although APTs are significantly more sophisticated than the average malware, the same techniques we use against common threats help protect against APTs.

  • Disable installation of apps from third-party sources on Android phones. If you really need to install some trusted app from outside Google Play, allow it once, but don’t forget to change the setting back when you’re done.
  • Regularly check permissions of the apps you have installed on your device and revoke any permissions you think are not necessary for a certain app. It’s also a good idea to check the list of permissions an app uses before installing it. You can find the list in Google Play.
  • Avoid visiting shady websites and clicking links from sources you do not completely trust. Unknown people won’t send you links and apps with good intentions. Some APTs are capable of infecting legitimate websites, but many rely on good old phishing.
  • Use a reliable security solution that scans everything that is about to be installed or downloaded on the device and checks every link and every package. Consider it a last line of defense: Even if a bad actor tricks you or uses an exploit to find their way into your device, the security solution can still protect you.