sb-nz logo
Story image

Cyber-espionage attacks are more sophisticated than ever

New cyber-espionage attacks are becoming more sophisticated and are flying under the radar of increasingly effective detection systems, Kaspersky Lab experts have found.

This finding is the result of detailed analysis of the EquationDrug cyber-espionage platform - the main espionage platform developed by the Equation Group.

Kaspersky Lab experts note that the industry is experiencing growing success in exposing Advanced Persistent Threat (APT) groups, and in turn more sophisticated threat actors now focus on increasing the number of components in their malicious platform in order to reduce their visibility and enhance stealth.

The latest platforms now carry many plugin modules that allow them to select and perform a wide range of different functions, depending on their target victim and information they hold.

Kaspersky Lab estimates that EquationDrug alone includes 116 different plugins.

Costin Raiu, Kaspersky Lab director of the global research and analysis team, says, “Nation-state attackers are looking to create more stable, invisible, reliable and universal cyber-espionage tools.

“They are focused on creating frameworks for wrapping such code into something that can be customised on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to regular users.”

“Sophistication of the framework makes this type of actor different from traditional cybercriminals, who prefer to focus on payload and malware capabilities designed for direct financial gains,” Raiu says.

The experts have identified other ways in which nation-state attackers differentiate their tactics from traditional cybercriminals.

For one, traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, but nation-state actors prefer highly targeted, surgical strikes, infecting just a handful of selected users, according to Kaspersky Lab.

Furthermore, traditional cybercriminals typically reuse publicly available source code such as that of the infamous Zeus or Carberb Trojans, whereas nation-state actors build unique, customised malware, and even implement restrictions that prevent decryption and execution outside of the target computer.

Extracting valuable information is another key differentiating factor.

Cybercriminals in general attempt to infect as many users as possible. However they lack the time and storage space to manually check all the machines they infect and to analyse who owns them, what data is stored on them and what software they run.

As a result, they code all-in-one malware stealers that will extract only the most valuable data such as passwords and credit card numbers from victims’ machines – activity that could quickly bring them to the attention of any security software installed.

Nation-state attackers, on the other hand, have the resources to store as much data as they want.

To escape attention and remain invisible to security software they try to avoid infecting random users and instead rely on a generic remote system management tool that can copy any information they might need and in any volumes. 

However, Kaspersky Lab says this could work against them as moving a large volume of data could slow down the network connection and arouse suspicion.

“It may seem unusual that a cyber-espionage platform as powerful as EquationDrug doesn't provide all stealing capability as standard in its malware core.

“The answer is that they prefer to customise the attack for each one of their victims,” Raiu says.

“Only if they have chosen to actively monitor you and the security products on your machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other specific functions related to your activities.

“We believe modularity and customisation will become a unique trademark of nation-state attackers in the future,” says Raiu. 

Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Link image
Webinar: How to navigate an increasingly crowded field of security solutions
Tools need to be organised and managed, issues need to be explored and resolved and all of this takes money and time. Find out more in this immersive webinar.More
Download image
Network functions virtualisation: What is is, how to use it, and why it matters
Network functions virtualisation (NFV) is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More