The world's new reality is inescapable: cyber espionage groups are out there, and even if your organization isn't a direct target, it's increasingly likely that you may still suffer their impact.
As we learned during the recent SolarWinds hack, the fact that our world has turned to a highly digital supply chain means companies are so intertwined that if one falls, it can knock out hundreds, if not thousands, more.
But what cyber espionage groups - also known as advanced persistent threats (APT) - are out there right now? What are their common techniques and what have they been doing recently? Below we outline a list of 10 of the top APT groups to be aware of in 2021 - and how to defend against common hacker tactics.
Hitting headlines recently as the suspected perpetrators of the SolarWinds attack, CozyBear is probably one of the most prominent cyber espionage groups in this list.
This APT is believed to be Russian in origin, likely backed by the FSB. They've been in operation for quite some time, with researchers dating their activities as far back as 2008. As you can imagine, this means they've had quite a history, having been the suspects behind numerous major cyber attacks:
Other known names: APT29, YTTRIUM, The Dukes and Office Monkeys.
Having been in operation for so long, CozyBear has been associated with a number of different malware kits, and changes toolset frequently. These are some of the notable attack vectors:
CozyBear appears to prefer targeting high-value government-related departments in the US, UK, European Union (including Norway and Germany), South Korea and Uzbekistan.
Their goal appears predominantly related to cyber espionage, stealing data from victims.
Find out more: CozyBear on MITRE ATT&CK
Gorgon Group was first suspected as existing when cyber security research firm Unit 42 began tracking a Pakistani attack known as Subaat, which commenced in 2017 and targeted a US organization with phishing attacks.
Technical analysis of this incident began to suggest that the attackers were working with a wider organization, dubbed Gorgon. Gorgon is notable as a group because it was attributed to the 2019 US$160 million MasterMana Botnet hack, which targeted corporations around the world with the intent to, among other goals, steal credentials associated with crypto wallets. Indeed, Gorgon's latest attack vectors are very similar to those used in the MasterMana days.
Gorgon Group has been known to use three attack vectors:
The United States and Germany accounted for 21% and 11% respectively of Gorgon's victims, specifically of their first attack vector (Prevailion). The US was also a major target of vector two, as was South Korea and India. Switzerland and Singapore made up the majority of targets for vector three.
Some data also suggests the group had an interest in European affairs as well as the utilities sector in the UAE (Dubai in particular).
Unit 42 has also detected Gorgon Group targeting US, Russian and Spanish organizations operating in Pakistan.
Find out more: Gorgon Group on MITRE ATT&CK
Deep Panda is a Chinese group which CrowdStrike considers one of the most advanced state-backed hackers in that region of the world.
Recently at time of writing, a Chinese state-backed hacker group attacked Microsoft - dubbed HAFNIUM. The use of webshells and tools such as CrowdStrike bears some resemblance to Deep Panda, although this is speculation and not an official link.
Other known names: KungFu Kittens, Shell Crew, WebMasters.
Stealth appears to be Deep Panda's specialty. The group utilizes a variety of specialist processes designed to install their backdoor malware while leaving a minimal footprint in the victim's network.
Organizations based out of the United States appear to be most at risk, particular in the government, defense, financial and telecommunications sectors.
Find out more: Deep Panda on MITRE ATT&CK
Most of the threat actors in this list have a strong focus on Windows computers - but Bouncing Golf has figured out how to hit people on their mobile devices.
The group was detected by antivirus company Trend Micro in June 2019, at which point their malware - GolfSpy - was reported to have infected over 660 devices. Unfortunately, the group's origin is not known at time of writing, because they have been working hard to cover their tracks: masking registrant contact details of their C&C domains, for example.
That said, Trend Micro has seen similarities between GolfSpy's code and that of another known APT group, Domestic Kitten. Domestic Kitten is believed to be Iranian in origin, and uses similar techniques.
Bouncing Golf tries to sneak its malware onto mobile devices by parading GolfSpy as a legitimate application.
Bouncing Golf activity has been detected primarily in Middle Eastern countries, with a focus on stealing military-related data.
Domestic Kitten, the espionage group that may be similar to Bouncing Golf, has been observed targeting Turkish and Kurdish natives and ISIS supporters in Afghanistan, Iran, Iraq and the UK.
Given the nature of GolfSpy and the information it can steal, anyone in the phonebooks of these victims or who are related to them in any way via their devices could also be at risk.
CopyKittens is a slightly less technically advanced APT using simpler techniques than some of its peers - simpler, but still highly dangerous.
They are believed to be Iranian and operating since 2013, having been first detected by Trend Micro and ClearSky in 2015.
CopyKittens conducted an enormous cyber espionage campaign for years, which was dubbed Operation Wilted Tulip. One notable attack example was when the group compromised an email address from the Ministry of Foreign Affairs in Northern Cyprus, then using it as a decoy to try and infect other government organizations around the globe.
While CopyKittens may not act with the same level of sophistication as some of the other names in this list (for example, they don't use any zero-day exploits), they are by no means a threat to be ignored.
○ This makes it likely that victims may come under attack not directly, but via their digital supply chain. If you haven't read it, we'd encourage you to read our article on why Germans should care about the SolarWinds hack to learn more about their digital supply chain vulnerabilities.
CopyKittens has been launching data gathering attacks on countries such as Germany, Israel, Saudi Arabia, Turkey, the US and Jordan. Some other nations have been attacked, too, as well as UN employees.
Mainly, CopyKittens seems to go after sectors such as government institutions, academic institutions, defense companies, municipal authorities, subcontractors of defense ministries and large IT companies. One major victim, for example, was the German Bundestag.
Find out more: CopyKittens on MITRE ATT&CK
Security company FireEye believes APT33 started operations in 2013. Due to the group's specific interests, snippets of Farsi language in their code, and the hours/days that APT33 members are known to operate (Saturday to Wednesday in the Iranian time zone), FireEye suspects that this group is Iranian in origin and backed by the Iranian state.
Other known names: HOLMIUM, Elfin
Spear phishing is a major tactic of APT33, with attacks masquerading as legitimate job openings at desirable companies.
As far as nations go, APT33 has targeted organizations housed in the US, South Korea and Saudi Arabia.
In terms of sectors, the group seems to have a preference for aviation companies with ties to both military and commercial use, as well as the energy sector (petrochemical production in particular). Saudi Arabia seems to be a reasonably common focus area, with companies targeted overseas often having links to Saudi's energy or aviation sectors.
APT33 may be working to learn more about Saudi Arabia's capabilities as a means to enhance Iran's work in these spaces.
Find out more: APT33 on MITRE ATT&CK
Charming Kitten made headlines by launching a major phishing attack over the Christmas 2020 break - precisely when the world's IT departments were less available to review and respond to potential threats.
The group is suspected of having been in operation since 2014, perhaps even 2013, and has links to the Iranian government. Charming Kitten also has strong links to APT Magic Hound, which we detail below.
Other known names: APT35, Phosphorus, Newscaster, Ajax
Charming Kitten has most recently been associated with phishing campaigns using SMS and email.
○ This is a great example of how cyber espionage groups are evolving to use modern channels to hunt victims. Apps like WhatsApp, Telegram and Facebook Messenger are now potential channels for malware and must be considered as a part of organizational security just like email or web browsing.
Charming Kitten has been seen to go for members of think tanks, political research centres, university professors, journalists and environmental activitists. Their target countries centre around the Persian Gulf, the US and Europe - collectively victims appear to be individuals of interest to Iran.
Find out more: Charming Kitten on MITRE ATT&CK
Magic Hound attacks date back as far as 2014, and may date back even further - to 2011. The group has very close ties to some other well-known APTs, and in fact there are a few security reports out there that don't even distinguish Magic Hound from Charming Kitten or its other aliases.
Unit 42 also performed a link analysis of Magic Hound's infrastructure and tools and found that it may also have links to groups Rocket Kitten and Cobalt Gypsy.
Magic Hound has so far not been observed using common exploit techniques, but rather social engineering tactics designed to compromise very specific targets.
Whereas Charming Kitten has been observed targeting specific victims in positions of political or educational power, Magic Hound has been more direct in attacking government, technology and energy sector companies either based in or with an interest in Saudi Arabia (for example, the US).
Rocket Kitten, which may be linked as well, also uses spear phishing tactics to target individuals and organizations in the Middle East (even targets within Iran). Europe and the US were also of interest to the group, with victims often working in defense, political, research, human rights, media and journalism, academic, and scientific (i.e. nuclear) roles.
As for Cobalt Gypsy, activities from this group have appeared to target telecommunications, government, defense, oil and financial services firms in the Middle East and North Africa.
Find out more: Magic Hound on MITRE ATT&CK
MuddyWater is an Iranian threat group that is relatively new compared to some of its cohorts, but which has been evolving steadily since 2019. Trend Micro does not consider it as advanced an APT as other groups (i.e. like CopyKittens, there's no evidence here of the group using zero-day exploits or advanced malware kits), but they are agile and use what they have effectively.
For example, within days of Trend Micro publishing a report on the group in 2018, they changed some of their tactics.
MuddyWater has been using spear phishing and Android malware to compromise its victims, covering their tracks as they go.
Common MuddyWater targets have been in the Middle East area (i.e. Turkey and Afghanistan), or Asia. More recently, though, the group has begun to target European nations as well as the US.
Most victims were governmental in nature, with a majority in education, foreign affairs, defense, interior, finance, trade and customs. There were also a number of victims found in the telecommunications sector, including telcos and web hosting providers.
Find out more: MuddyWater on MITRE ATT&CK
Windshift was first revealed to the world by security company DarkMatter at the 2018 Hack in the Box conference. DarkMatter's researcher thought the group had been operational since 2016, and was notable because it targeted a group of quite uncommon victims - OSX users. Indeed, Windshift's malware would not work on a Windows device.
It's also worth pointing out that Windshift's MO is very similar to another known group called Bahamut, where some of the same infrastructure is used. In addition to OSX attacks, Bahamut was revealed by BlackBerry to employ at least one zero-day developer exhibiting a skill level "above and beyond other APTs."
Finally, there is one last thing of note. Windshift deploys tools that were developed by an Indian security company called Appin (whose website is now offline). Appin at the time denied any involvement in espionage, and it is believed their tools may have been stolen.
Windshift utilizes techniques that will now be familiar to anyone who has read the other APT groups in this list - spear phishing and social media engineering. The key point of difference here is that they are capable of targeting Apple users.
Windshift has been highly targeted in their choice of victim, choosing specific individuals in government departments and critical infrastructure across the Gulf Cooperation Council region. As mentioned, it's notable that Windshift can target OSX users as opposed to Windows or Android.
Bahamut is similar in its choice of targets, focusing on individuals over companies. Their targets are concentrated around political, economic and social spheres in the Middle East as well, in addition to South Asia (i.e. some spoofed websites focused on political issues such as the Sikh Referendum of 2020 in India).
Find out more: Windshift on MITRE ATT&CK
To properly defend yourself against APT threats - or at least mitigate their risk - we would highly recommend that your enterprise performs a top-to-bottom analysis of the business using a modern security architecture framework.
To talk to a security professional about your individual organization and how it might be at threat, get in touch with us immediately for a free maturity consultation.
In the meantime, however, we know these things take time. Between now and then, there are a few quick-wins you can accomplish to better improve your security in relation to cyber espionage threats.
Multi-factor authentication (MfA) makes it that one step harder for outside actors to access your systems via compromised accounts (which, as we've seen by this point, is common). It can:
Tips for implementing multi-factor authentication:
Read more from Microsoft: "How to implement Multi-Factor Authentication"
Better security starts with your people. In fact, a company's own staff tends to be one of its biggest weak points when it comes to cyber protection. As you can see clearly above, most threat groups look for entry points by targeting people with phishing links.
Risk awareness training is your way to build a culture of cyber safety in your enterprise, from the most senior to the most junior employee. Everyone who has access to the system must know their role in protecting it. Risk awareness training will:
Tips for implementing risk awareness training:
While some of the more advanced cyber espionage groups have techniques that help them circumvent malware monitoring services, it's still vital that your company's computers come equipped with the most up-to-date software you can get in order to mitigate much of the risk.
Not only that, but you will need a policy in place to ensure that your devices remain up to date over time. There's no use investing in anti-virus software now only for it to become irrelevant in a couple of years.
Good anti-virus software will:
Tips for finding the right anti-malware software:
○ Network perimeter
○ Mail servers
○ LAN servers
○ Workstations (including home and remote users, contractors and vendors).
○ What are the top threats you must contend with?
○ Will the software slow down your pre-existing software, or crash it?
○ Is the software easy to use?
○ How frequently is it updated with new threats?
○ Is the vendor able or willing to support your roll-out, and will they provide ongoing support?
When everyone can access everything, it only takes one user to be compromised for an APT to get their hands on your data. So, ensuring that some of your IT users are more 'privileged' than others means only the people you trust have administrative access to critical systems.
Tips for implementing PAM:
You will find that the principles of ZeroTrust are vital here. To learn more about ZeroTrust, watch our webinar on cloud security on demand, or read our article "4 critical steps to implementing best practice cloud architecture".
Intrusion prevention systems are like the other side of the coin to anti-virus software. They're designed to monitor network communications in an enterprise for suspicious activity and intervene where necessary. An IPS system will:
Tips for implementing a network IPS:
Actively monitoring your applications can help your operations team spot potential threats as they occur, or very close to when they occur if not in real time. This is especially important for apps that are attractive to APTs, such as any that allow access to the system (i.e. they are internet facing), which generate revenue, or that have a compliance tick (i.e. GDPR, SOX).
Tips for implementing better application monitoring:
It's utterly critical that you work to expand your app teams from DevOps to DevSecOps - integrating experienced security personnel into the entire CI/CD pipeline from ideation right through to monitoring and feedback.
Including security experts at each stage of developments allows them to check for problems as you go, potentially mitigating the risk that an app will go to launch with major vulnerabilities undetected.
Learn more: "What is DevSecOps, and how is it different to DevOps?"
APTs are a very real threat no matter where your enterprise operates in the world. Even if your organization does not fit the "who is at risk" profiles we've outlined in this article, the simple fact that you're connected to the digital supply chain puts you at risk.
That's where we come in.
At dig8ital, we have extensive experience building better security architecture for even the largest organizations, having worked with some of Germany's most prominent and complex businesses across sectors.
You don't have to face the cyber threat alone. Contact us today for a free maturity consultation and let's talk about what we can do for your unique business.