European Focused Threat Actors – APT Groups

Introduction

Cyber attacks experienced during the COVID-19 pandemic process have increased not only in vectors and numbers but also in terms of their impact. The pandemic process has expanded the surface of attacks and caused an increase in the number of cyber attacks targeting organizations through homes and offices. Also, cyber threat environments are changing with the fact that attackers are coming up with new technologies and processes constantly.

For example, in 2021, when we inspect the SolarWinds attack, which made an enormous impact, it seems that the malware has adopted a way of distributing embedded in a trusted product. After the SolarWinds attack, it has been determined that 1500 small and medium-sized companies were affected, especially the U.S. and Europe.

It has been observed that the main motivation of individual threat actors who carry out European-focused attacks is to earn financial gain. Cybercriminals have made the banking/financial sector the main target. With the crisis of the COVID-19 Pandemic, targeted ransomware attacks have increased swiftly. Many organizations that could not afford service interruptions had to pay the requested ransom. Although, some ransomware groups have demanded more ransomware, threatening organizations to publish stolen data using Double Extortion methods.

Threat actors that are supported by governments usually organize longer-term operations in the interests of the state they are affiliated with. Financial interests are in the background and trying to obtain strategic intelligence about the targeted country. It all comes to this that it is significant for security teams’ operations in today’s environment, where visibility and agility are crucial more than ever to be able to monitor cyber threat actors and their ongoing activities.

APT Groups

APT28 – Fancy Bear

Main Targeted Sectors: Energy, Government Agencies, Media

Associated Malware: CHOPSTICK, SOURFACE, WinIDS, X-Agent

APT28, also known as Fancy Bear, is a Russia-based threat that carries out offensive operations targeting especially NATO member states and Eastern European countries. APT28, with its campaigns, uses malware families tailored to victims. APT28 also tries to directly compromise the email accounts of target organizations by using password spraying techniques. With that, it has been observed that it tries to reduce the need to distribute malware to collect user data.

For more information about “APT28 – Fancy Bear” Threat Actors, click here.

APT15

Main Targeted Sectors: Economy and Finance, Energy, Commerce, Military

Associated Malware: Enfal, Baldeagle, Noisemaker, Mirage

APT15 group, thought to be China-Based, targets central organizations including a number of European countries, the USA, and South Africa. APT15 operators are also known to share various resources, including backdoors and technical infrastructure, with other Chinese APTs. APT15 typically uses spear phishing emails to gain initial compromise to global targets in various sectors of interest to the Chinese government.

APT35

Main Targeted Sectors: Energy, Defense Industry, Government, Communication

Associated Malware: Aspxshellsv, Brokeyolk, Pupyrat, Tunna, Mangopunch, Drubot, Houseblend

APT35 (aka Newscaster Team) is an Iranian government-backed cyber espionage group that conducts long-term operations to gather strategic intelligence. APT35 organizes spear-phishing campaigns to gain initial reach in the targeted organization. In addition, It was also observed that the group used compromised accounts with credentials collected from previous operations and password spraying attacks on exposed web applications as additional techniques to gain initial access.

 

APT27

Main Targeted Sectors: Government, Energy, Aviation, Transportation

Associated Malware: Pandora, Sogu, Zxshell, Ghost, Wideberth, Quickpulse, Flowerpot

China-backed APT27 threat group has targeted multiple organizations with headquarters worldwide, including North and South America, Europe, and the Middle East. APT27 generally launches spear phishing to gain initial access. APT27 threat actors are known for using a compromised account in the victim organization to send phishing emails to targeted organizations in similar industries rather than using zero-day vulnerabilities.

 

APT38 – Lazarus

Main Targeted Sectors: Economy and Finance

Associated Malware: APT38, one of the most productive groups, uses malware families to target financial organizations.

APT38 is a threat group supported by the North Korean regime. It was observed that this threat group carried out the largest known cyber heist. Although APT38 is known as “Lazarus” by the security community, APT38’s financial motivation, unique toolkit, tactics, techniques, and procedures (TTPs) suggest that they are a different threat group from Lazarus. in addition, APT38 is also known for aggressively destroying evidence or victim networks in its operations.

For more information about “Lazarus – APT38” threat actors, read our blog post.

APT29 – Cozy Bear

Main Targeted Sectors: Education, Energy, Finance, Government, Technology

Associated Malware: Aspxshellsv, Brokeyolk, Pupyrat, Tunna, Mangopunch, Drubot, Houseblend

APT29, nicknamed Cozy Bear, is a Russian-based threat group considered to act on behalf of the Russian Foreign Intelligence Service. APT29 has conducted spear phishing campaigns to deliver specific types of malware to organizations in various industries, particularly in Europe. The threat group is thought to be responsible for high-profile attacks such as the 2015 Pentagon attack, the FireEye hack, the SolarWinds attack, and the COVID-19 vaccine data theft. They also set a different example with their attempts to regain access to networks they previously lost operational control of.

 

To be continued…