Since it is the last day of the year, let’s have a look at this year’s top APT campaigns. This year surely was action-packed when it comes to various forms of hacking, data breaches, new malware, and related matters. Some of the most sophisticated cyber espionage campaigns have been revealed this year. Many of them so advanced, there is not a bit of doubt that they are state-backed. Although many new APTs were discovered, thinking of what is still out there and is rather disconcerting, considering how long many of these campaigns laid undiscovered. The list below contains an overview of the most notable campaigns of 2014.
REGIN – Regin APT is the undisputed king among APTs revealed in 2014.
Targets: Telecommunication operators, governments, financial institutions, research institutions – mainly with focus on mathematical, cryptographical research.
Countries: Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria and Russia.
- Appears to be operation since 2003
- Capable of compromising an entire victim network.
- Incredibly complex, stealthy communication with C&C servers.
- Contains module capable of mapping GSM structures – in 2008 gained complete control of one middle-eastern country’s GSM network.
DARKHOTEL– The Darkhotel operation was a well-executed execs-targeting cyberespionage campaign.
Targets: C-level officials and senior management, Marketing Directors, top R&D persons.
Countries: Main focus on Japan, Taiwan, China, Russia and South Korea.
- Continuous use of zero-days targeting Interned Explorer and Adobe PDF and flash.
- Use of both targeted attacks and botnets.
- Advanced mathematical and crypto-analytical offensive capabilities.
- Well-developed low level keyloggers within an effective and consistent toolset
- Ability to compromise and maintain access to global networks of hotels over many years.
CLOUD ATLAS – Cloud Atlas turned out to be the notorious RedOctober cyberespionage campaign reborn.
Targets: Diplomatic organizations and government bodies.
Countries: Main focus on Russia, Kazakhstan, Belarus, India, and Czech Republic.
- Many shared features with RedOctober – including same targets, spearphishing techniques, encryption, and more.
- Implants utilize a rather unusual C&C mechanism – ability to restore access even if the C&C server is compromised.
- Malware loader and a final payload that is stored, encrypted and compressed in an external file.
SANDWORM – Sandworm is the advanced cyberespionage group behind the NATO and Ukraine attacks.
Targets: Political bodies, governments, energy industry, suppliers of heavy power related materials, investors, academia, and high-tech.
Countries: Russia, Ukraine, Poland, Lithuania, Belarus, Azerbaijan, Kyrgyzstan, Kazakhstan, Iran, Israel, Turkey, Libya, Kuwait, Taiwan, Vietnam, India, Croatia, Germany, Belgium, and Sweden.
- Utilizing a modified version of the BlackEnergy criminal malware (BlackEnergy2) – every Sandworm attack in 2014 was carried out using BE2.
- Ability to steal digital certificates, attack Cisco networking devices, and even to target ARM and MIPS platforms.
- Protected their servers by keeping their non-Windows hacker tools and plug-in in separate servers or server folders.
- Russian-speaking authors.
Based on the current success of APTs concentrating on cyberespionage, it is likely that cybercriminals are already picking up on the benefits of stealthy, persistent presence. In 2015 we are likely going to see a wide-spread evolution in cybercrime campaigns – mimicking current espionage APT mechanics. Criminals are realizing that targeting end users is less effective than targeting, let’s say a bank, directly.