Advanced Persistent Threat (APT) activity is on the increase with nation-state backed attacks targeting COVID-19 research. The claim comes from NTT Ltd in its July Global Threat Intelligence Center report. Writing on the APT threat, Danika Blessman, Sr Threat Intelligence Analyst, GTIC says: “While the world is ‘distracted’ by COVID-19, APTs are attempting to garner intelligence. Some of this is intelligence on the virus, and some actors want to exact ‘revenge’ for the virus.”
Blessman continues saying: “We’ve observed APTs, particularly those suspected to be backed by nation-states, focusing their intelligence-gathering efforts on COVID-19 research. Many nations are attempting to get the upper hand on COVID-19 research – both for the health of their citizens, as well as for monetization of a potential (and very valuable) treatment or vaccine.
“Unsurprisingly, APTs are targeting the healthcare industry heavily while it’s at its most vulnerable. From international organizations to research organizations to hospitals and even individual healthcare workers and first responders.”
Who is responsible for the attacks?
Attribution is notoriously tricky as it is easy to copy code and buy access to infrastructure. However, Blessman calls out groups linked with Iran, North Korea and Vietnam for a range of different attacks. Iran backed groups have targeted the World Health Organisation (WHO) with a phishing attack. Blessman believes this is an attempt to gain access to data on testing, treatments and vaccines.
Another group, DarkHotel, an APT linked to North Korea, has also targeted the WHO. Like the Iran-backed groups, it seems to be focused on intelligence. It went as far as to create a duplicate of the WHO email system. Blessman says that this was: “likely designed to obtain credentials from multiple agency staffers. The attack appeared to attempt to gain and maintain a foothold within the WHO’s network, as well as gain access to other healthcare and humanitarian organizations connected to the WHO network.”
Blessman says that APT32, linked to Vietnam, is targeting China. It is: “targeting staff email accounts of China’s Ministry of Emergency Management, the center of the national effort to contain the virus, as well as the government of Wuhan. Spear-phishing emails contained a malicious link harboring a virus called Metaljack allowed access to the targeted machine upon a successful download.”
Enterprise Times: What does this mean?
The use of APTs is on the increase. There is a danger of cybersecurity teams getting too focused on all things COVID-19. Yes, it is successfully used as a lure. Yes, there are heightened attacks against organisations researching the virus. However, that does not mean that attackers have dropped all their other attempts.
Attackers are using APTs to gain access to other parts of the network. They then exploit operating system tools to live off the land and do reconnaissance from inside the network. It allows them to select their targets more effectively. Blessman warns: “APTs are adept at moving laterally through an organization’s network and may be able to move from a target in the legal department, to those scientists involved in COVID-19 research.”
It is not just organisations involved in COVID-19 that should be concerned. There is increasing evidence that manufacturers are under sustained attack. Attackers are placing code in their systems waiting for customers to reconnect as the global economy begins to recover.
There has also been an increase in BEC scams related to the global recovery. These are looking to cash in on companies looking to acquire new businesses cheaply.
As people return to the office, it is likely there will be an increase in reported attacks of all kinds. That’s because many of the emails sent during the pandemic have been sat in the email inbox of furloughed workers.