While companies focus on business email (BEC) hacks, ransomware and regular malware, a major cyber threat is slipping right under their radar: Advanced Persistent Threat (APT) actors.
In a new report by cybersecurity researchers, Proofpoint says many APT actors target small and medium businesses in particular, with targets ranging from cyberespionage to intellectual property (IP) theft, from disinformation campaigns to overt disruptive behavior.
In some cases, APTs are also looking for money, especially when they target blockchain companies and decentralized finance (DeFi).
It’s also not uncommon for these APTs to have “convergent interests” with countries like Russia, Iran or North Korea, the researchers added. According to the report, these groups are also quite formidable adversaries.
Researchers describe them as “skilled cybercriminals” who are well funded and have a clear purpose. Their modus operandi usually includes phishing. First, they spoofed or hijacked the SMB domain or email address and then used it to send malicious emails to other targets.
If APT has compromised the web server hosting the domain, it will use it to host or deliver malware for third party purposes.
One such group is TA473, also known as Winter Vivern. This APT was observed to target US and European government institutions with phishing emails between November 2022 and February 2023. The group used emails originating from unpatched or insecure WordPress hosted domains to attack its victims. It also used unpatched Zimbra webmail servers to hack into email accounts of government entities.
When all is said and done, the APT phishing landscape is becoming “increasingly complex”, the researchers say, adding that cybercriminals are “avidly looking” for attacks on vulnerable small and medium businesses and regional SMEs.