RiskFinancial CrimeNation-state Sponsored Cyberespionage Growing in Sophistication

Nation-state Sponsored Cyberespionage Growing in Sophistication

Nation-state sponsored cyberespionage attacks are becoming more sophisticated, targeting carefully defined users with complex, modular tools, and keeping well under the radar of increasingly effective detection systems, according to Kaspersky Lab.

The Russia-based security software specialist said the new trend was confirmed during a detailed analysis of the EquationDrug cyberespionage platform.

Kaspersky Lab specialists found that, following the industry’s growing success in exposing advanced persistent threat (APT) groups, the most sophisticated threat actors now focus on increasing the number of components in their malicious platform in order to reduce their visibility and enhance stealth.

The latest platforms now carry many plugin modules that allow them to select and perform a wide range of different functions, depending on their target victim and information they hold. Kaspersky Lab estimates that EquationDrug includes 116 different plugins.

“Nation-state attackers are looking to create more stable, invisible, reliable and universal cyberespionage tools,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “They are focused on creating frameworks for wrapping such code into something that can be customised on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to regular users.

“Sophistication of the framework makes this type of actor different from traditional cybercriminals, who prefer to focus on payload and malware capabilities designed for direct financial gains.”

The company reports that other ways in which nation-state attackers’ tactics differ from traditional cybercriminals include:

  • Scale: Traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, while nation-state actors prefer highly targeted, surgical strikes, infecting just a handful of selected users.
  • Individual approach: While traditional cybercriminals typically reuse publicly available source code such as that of the infamous Zeus or Carberb Trojans, nation-state actors build unique, customised malware, and even implement restrictions that prevent decryption and execution outside of the target computer.
  • Extracting valuable information: Cybercriminals in general attempt to infect as many users as possible. However they lack the time and storage space to manually check all the machines they infect and to analyse who owns them, what data is stored on them and what software they run – and then to transfer and store all potentially interesting data.

As a result they code all-in-one malware stealers that will extract only the most valuable data such as passwords and credit card numbers from victims’ machines – activity that could quickly bring them to the attention of any security software installed.

Nation-state attackers on the other hand have the resources to store as much data as they want. To escape attention and remain invisible to security software they try to avoid infecting random users and instead rely on a generic remote system management tool that can copy any information they might need and in any volumes. This could, however, work against them as moving a large volume of data could slow down the network connection and arouse suspicion.

Related Articles

Why working in silos is a killer when battling financial crimes

Cyber Security & Fraud Why working in silos is a killer when battling financial crimes

2w Andrew Simpson
PSD2: dull name, but seismic effect

Clearing & Settlement PSD2: dull name, but seismic effect

3m Alex Kwiatkowski
Staying one step ahead: PSD2 and the future of fraud

Financial Crime Staying one step ahead: PSD2 and the future of fraud

3m Seth Ruden
8 predictions for treasury in 2018

Financial Crime 8 predictions for treasury in 2018

4m Bob Stark
FDIC sues 9 European banks over Libor

Banking FDIC sues 9 European banks over Libor

8m Victoria Beckett
Appreciating supply chain cyber risk

Cyber Security & Fraud Appreciating supply chain cyber risk

8m Peregrine Storrs-Fox
The death of the password: biometric banking

Automation The death of the password: biometric banking

8m Paul Sheldon Foote
The insecurity of fraud victims in the fight against cyber-assailants

Bank Relationships The insecurity of fraud victims in the fight against cyber-assailants

8m Keiron Dalton