While widely known advanced persistent threat (APT) groups emanating from Russia and China grab most of the spotlight, an array of other nation-state and adjacent threat actors are increasingly launching cyber attacks around the globe.
At this year’s Cyberwarcon conference, nearly 20 of the world’s top cyber security researchers presented their thoughts on these less visible and complex groups, outlining their latest strategies and developments.
Iran’s APT33 gaining strength, global reach
Iran, which is rapidly emerging as one of the most destructive of the nation-state cyber warfare actors, has a threat group known as APT33, one of the country’s most malicious cyber actors.
APT33 has targeted aerospace, defence, and energy organisations. For the most part, the group is regionally focused, targeting Saudi-owned and -operated entities, according to Saher Naumaan, a threat intelligence analyst at BAE Systems Applied Intelligence.
APT33, also called Refined Kitten, Magnallium, Holmium and Alibaba, has been around since 2014 and is best known for its data wiping malware called Shamoon, which erased at least 30,000 computers belonging to Saudi Aramco in 2012. Since then, APT33 has been implicated in campaigns against industrial players in the Middle East and Europe.
However, in 2019, APT33 conducted a campaign that was “pretty narrow in scope and pretty targeted in a kind of a purpose-built set of domains and IP that they were using specifically for US political targets,” Naumaan said.
One of the most interesting aspects of APT33 is its timeline correlation with geopolitical events taking place in the Gulf of Oman, according to Naumann.
In May and June of 2019, in the aftermath of oil tankers targeted with explosive attacks in the Gulf, APT33 launched a series of spear-phishing campaigns to dovetail with those assaults.
Another aspect of APT33 is its rising level of power given a series of reforms in the Iranian intelligence and security apparatus following the implementation of a maximum pressure campaign by the US against Iran. The reorganisation saw the Iranian Revolutionary Guard Corps elevated in terms of rank and prestige, with more hawkish officials put into place.
With these changes, APT33 could get bolder, backed by new authority, power and resources, Naumann suggested. Another dynamic worth paying attention to in terms of APT33 over the coming months is a possible shift in Chinese investment and possible Russian cooperation.
Ned Moran, principal program manager at the Microsoft Threat Intelligence Center, shared some of the insights his company has gained into APT33 derived from telemetry.
One key take-away is the group’s fondness for password spray attacks, which use user account names combined with a few commonly used passwords to break into online accounts.
Another critical observation about APT33 is that “a lot of people take them as a sloppy group. They’re loud or noisy. Their spear phishes are relatively easy to attack,” Moran said.
In studying their telemetry “they are operationally very sophisticated, and they pay careful attention to opsec. They might not care that their phishes get detected,” he said. “What they care about is the ability to forensically link them back to Iran.”
Saudis hack to surveil and use bots for social media influence
Nathan Patin, an independent researcher and private investigator at Bellingcat, offered details on Saudi Arabia’s Saud al-Qahtani, once a high-level adviser to the crown prince of Saudi Arabia, Mohammed bin Salman (MBS).
He is also considered the mastermind behind the murder and dismemberment of Saudi Arabian journalist Jamal Khashoggi.
Al-Qahtani ran social media and surveillance operations for the Royal Court and was nicknamed “Lord of the Flies” for his extensive use of bots, which are also called “flies,” in trying to control the narrative on Twitter, particularly Arabic-speaking Twitter.
Patin tracked the activity of al-Qahtani online, starting with email addresses from a Motherboard report on how al-Qahtani tried to buy surveillance tools from controversial spyware vendor Hacking Team.
What he discovered was years’ worth of posts on popular hacking site Hack Forums that revealed al-Qahtani’s intrusion and spying methods. On Hack Forums, al-Qahtani sought help from hackers on a wide array of subjects and sought help in installing Trojans. He admitted to using at least 24 different remote access tools or RATs, of which his favorite was one called Hack Shades.
At one point, al-Qahtani partnered with a user on Hack Forums called “Lassie” in perfecting a surveillance solution to record all voices in a room.
At another point, he tried to hire a hacker to manage his botnet for $500 per month. He also had a massive social media influence operation, purchasing 525 accounts on YouTube and hiring hundreds of young men in and around Riyadh to staff his troll farms.
At another point, al-Qahtani sought to freeze or ban specific Twitter accounts only to be informed on Hack Forums that he could only do so if he gained access to internal Twitter operations.
It’s no surprise, then, that just last month the US Department of Justice brought criminal charges against a Saudi mole who worked inside Twitter but has now gone back to Saudi Arabia.
Despite his high-level role in the Royal Court, al-Qahtani had terrible operational security. On at least three separate occasions, he posted on Hack Forums--by his own admission--when he was drunk, a startling confession in a country where alcohol is officially banned and heavily frowned upon by Saudi rulers.
All but three domains that al-Qahtani personally registered since 2009 contained personally identifiable information, including his full name, email address and phone number.
A Saudi dissident tweeted in August 2019 that al-Qahtani was dead, having been poisoned by the Saudi regime. This assertion hasn’t been confirmed and seems suspect given other indications that al-Qahtani is alive and still working for the royal family.
Russia’s Wagner Group focuses on physical disruption
One of Russia’s most curious new threat groups is called the Wagner Group, a paramilitary organization focused mostly on physical, kinetic operations, according to Renee Diresta, technical research manager at the Stanford Internet Observatory.
The Wagner Group, possibly a contractor, is working with Russia’s main intelligence operation, the GRU, as well as the country’s well-known influence and propaganda operation, the Internet Research Agency, on topical matters to advance geopolitical and other interests attributed to the Russian state.
After running a major operation related to Libyan elections, the Wagner Group has moved beyond its previous role as a social media marketing agency to “being something that is actually quite a bit more nefarious because what they do once they have community infiltration is they encourage people to get out into the streets and protest.”
North Korean APT groups have military and commercial objectives
Another major powerhouse in the global APT arena is North Korea, which has a series of unique groups conducting cyber operations that blend the country’s previous models of attacks and targets, Crowdstrike’s Senior Analyst Katie Blankenship said. These groups are called Silent Chollima, Velvet Chollima, Ricochet Chollima, Stardust Chollima and Lab Chollima.
In 2015 all the Chollima groups started to advance their capabilities. Around 2017 they began to shift gears as North Korean leader Kim Jong Un changed his country’s intelligence policy focus from strictly military to a blend of military and economic objectives.
Although most of the targets were still in North Korea’s favourite target area, South Korea, the groups began to expand their focus and efforts around the globe, branching out from their previous sole focus of espionage to conducting criminal and destruction campaigns.
North Korea is a well-known player in the financial crimes business, being linked to a number of large-scale digital bank heists and cryptocurrency thefts.
Blankenship said that the Chollima groups have “really started to become a new avenue” for currency thefts. They have started to become what Kim Jon Un himself has called an “all-purpose sword” to support North Korea’s goals.
“What we found under the criminal mission has not only been those large-scale currency theft operations aimed at likely supporting the state, but we're also starting to see lower scale currency-backed operations within each of the groups themselves. It's possible that these are aimed at supporting the state but are also actually a mechanism for a self-funding” to keep the individual groups operational, she said.