South African enterprises are subjected to an array of cyberattacks, with sophisticated and specifically targeted-type attacks – advanced persistent threats (APTs) – being used to break into targeted companies’ networks, says cybersecurity multinational Kaspersky Global Research and Analysis Team security researcher Dmitry Galov.
The region is starting to experience more sophisticated APT attacks. Cyberattackers, having singled out certain organisations, target average employees and high-profile decision-makers in companies – either to use them as stepping stones to set up backdoors to attack the company or to steal sensitive commercial data directly from an infected device.
“Employees at all levels are often the means through which companies are attacked by APTs,” he says.
For example, an employee may be tricked or coerced into installing a piece of malware or managers and directors can be targeted through spear phishing. The malware will analyse the organisation’s network and information technology environment and will create backdoors that the hackers can use for the next stages of the attack.
Such threat and cyberattack vectors are often difficult to limit, although companies should use available tools and solutions, such as network monitoring and behavioural analysis, to combat them.
“The digital transformation of businesses and industries is inevitable. While this aims to improve value, it also makes companies more vulnerable to targeted cyberattacks and, with this, a loss of customer trust in the event of a breach or hack.”
Further, cyberattackers are increasingly targeting supply chains, as was the case with Operation Shadow Hammer, where threat actors attacked supply chains in order to distribute their sophisticated malware along with program updates. This particular case was investigated at the beginning of this year and presented in April during the Kaspersky Security Analyst Summit, in Singapore.
“The Shadow Hammer case illustrates the sophistication of targeted attacks where the attack remained undetected in plain sight of hundreds of thousands of installations, while targeting only very specific computers. Threat actors selected victims with surgical precision to deploy next-stage malware and exfiltrate data from devices they were interested in, while staying quiet on all the others,” he illustrates.
APTs are used to infiltrate various companies to spy on them. In most incidents, such attacks are targeted and aimed at gaining access to sensitive and confidential information that may be leveraged and the attacks are generally for financial gain. Some attacks are opportunistic and based on information leaks or perpetrated against companies going through periods of change or turmoil. In other cases, APT attacks can be sponsored by competitors or State actors.
“The resources and backing behind some of these APT attack campaigns are significant and, in such cases, we have seen very sophisticated and targeted attacks that use many new techniques and attack vectors. We monitor these and it is always interesting to see how they are evolving and changing their means towards infection success,” Galov says.
The aims of the attacks differ: in some cases, it is States involved in cyberwars and in other cases data is more valuable than money, but there are also splinters of these large hacking groups that attack financial organisations to steal money, as was the case of a subgroup of the large APT group, Lazarus.
“No organisation can be 100% safe from such attacks, but technical solutions, network monitoring and detection tools, security assessments of internal networks and tools to recover quickly from attacks provide a measure of protection.
“However, people still make mistakes and remain one of the major reasons that cyberattackers can get inside enterprises using such attack methods. Therefore, apart from normal cybersecurity awareness and education, threat knowledge provided for employees is a key part of cyberdefence,” says Galov.
This may seem obvious, he adds, but threat actors need only one stepping stone to get into internal networks. Therefore, enterprises should balance threat intelligence, cyberdefence tools and threat training as the price of being part of the digital world.