The Ongoing Reciprocal Relationship Between APTs and Cybercriminals

The two main villains of the cyber security world are the nation state-backed Advance Persistent Threats (APTs) and cybercriminals, with their comprehensive infrastructure and circles known as the dark web. Both threat actors are independent, each with its own goals, actors and methods. However, over the years there has been quite a lot of cross-pollination between the two. 

Since entering the spotlight, APTs have been using tools commonly sold on the dark web. Specifically, Remote Access Trojans (RATs) such as Poison Ivy, have been found in many APT incidents. This was common enough that many people have contested the term “APT” itself, as RATs were not considered “Advanced” (in reality, the “Advanced” in APT refers to the infrastructure behind the threat actor, i.e. a nation state). The use of various cybercriminal tools available on the Dark Web has been consistent throughout the years in APT cases where data exfiltration has been the goal.

Cybercriminals, on the other hand, also took a page out of the APT book. Fraudsters have always targeted the customers of financial institutions as they were considered the weakest link. Instead of trying to gain access to the secure networks of banks, they would instead use Phishing attacks to compromise their victims. Other organizations have been victimized by criminals hacking into their systems, such as e-commerce websites, in order to steal credentials, but breaching a bank’s systems was considered such an unattainable goal, that the vast majority of criminals would not attempt it. 

At some point, though, criminals realized that if APTs have immense success in accessing organizations’ networks using their tools, they can do it themselves. Some criminal threat actors have adopted APT tactics, using Spear Phishing to send out malware-infected attachments, which was used to gain them access to banks’ IT systems. According to cybersecurity company Group-IB, a group named Cobalt used access to banking systems to remotely infect ATMs with malware, in what is known a Jackpotting attack.

In a later turn of events, APTs have started adopting cybercriminals goals. If historically the main goal of APTs is data exfiltration for the purpose of intellectual property theft and espionage, some groups more recently started victimizing organizations for profit. The most known group in that regards is the group known as Lazarus which is most likely linked to the North Korean regime. Lazarus was involved in a variety of attacks, including the Sony breach and DDoS incidents against South Korean targets. More notably, they were also linked to the 2016 Bangladesh bank attack, where illegal SWIFT network transfers of almost one billion dollars were issued, though only five of the thirty-five instructions were successful. The group was further linked to the WannaCry Ransomware, which was used in a worldwide cyberattack in May 2017. It used a leaked exploit originally developed by the NSA in order to infect Windows machines, then encrypted files and demanded ransom to free them. Over 300,000 computers were infected across 150 countries.

Lazarus and North Korea are not the only APTs that have shifted their focus on financial gain. According to various cybersecurity companies, Iranian groups backed by their government are currently targeting Israeli companies. According to researchers, while their goal appears to be monetary, the real reasoning for the attacks is political. On November 20th 2020, Israeli insurance company Shirbit was hacked by a group which identified as Black Shadows. They attempted to blackmail the company, warning that if they would not pay the hackers will leak stolen data. The company refused to pay and the data was indeed leaked, resulting in class action lawsuits and direct losses for the company. Despite the incident appearing to be criminal in nature, security vendor SentinelOne claimed that these actions were used to cover Iranian operations against Israel. This incident, as well as multiple other incidents against Israeli companies such as KLS Capital, are APT incidents that are a part of the current cold war between the countries. Other notable attacks as part of this campaign, according to ClearSky Cyber Security, were on Amital and Habana Labs.

Despite having different infrastructure, goals and methods, threat actors do not work in a vacuum. They feed off of each other. This is true to all malicious actors in the threat landscape. Those whose focus is to monitor cybercriminal activities should also take note of the happening in the APT space, as it may eventually trickle down to the criminal world. The opposite is also true, with tools, innovations and methods used by criminals eventually ending up in the hands of those who are backed by their government.

view counter

Idan Aharoni is the Co-Founder & CEO of threat intelligence provider IntelFinder. He is a cyber security and intelligence veteran, with over 15 years of experience developing and managing cyber intelligence operations. In 2019, Idan received a “Legends of Fraud” award for his role in creating one of the world’s first fraud intelligence services, which monitored the Dark Web on behalf of financial institutions worldwide, as part of his work as Head of Cyber Intelligence at RSA, The Security Division of EMC.

Previous Columns by Idan Aharoni:
Tags: