Kaspersky’s Cyber Threat Intelligence Team has published a monumental study on Asian APTs’ Tactics, Techniques, and Procedures (TTPs), providing the most comprehensive information on the approaches identified during their investigation. This exclusive study is publicly available and is designed to enhance the understanding of the way contemporary APT groups operate, along with effective defense mechanisms.
The Kaspersky Cyber Threat Intelligence team analyzed around one hundred incidents that transpired across different regions worldwide, starting from 2022. The team utilized the Unified Kill Chain methodology to conduct a comprehensive study of the attackers’ actions, basing their findings on the TTPs employed by the analyzed groups. Within the report, experts provide insights into five specific incidents that occurred in Russia and Belarus, Indonesia, Malaysia, Argentina, and Pakistan – each of which stands as a representation of the geo-distributed nature of the attack.
In this extensive 370-page analytical report, the TTPs used by APT groups at each stage of the attack process are meticulously documented. Additionally, the report offers recommendations on combating such attacks, and includes Sigma rules that can be used to detect them.
To ensure it is globally accessible and can be understood by researchers and security specialists, this study leans heavily on internationally renowned threat analysis tools, practices, and methodologies, such as MITRE ATT&CK, F3EAD, David Bianco’s Pyramid of Pain, Intelligence Driven Incident Response, and the Unified Cyber Kill Chain.
The research reveals that, despite numerous attacks, the range of techniques encountered remains limited, allowing researchers to delve more deeply into their analysis. Here are some of the key findings:
- Asian APTs exhibit no regional bias in target selection. Their victims span the globe, posing a challenge to anyone attempting to identify which region is most frequently targeted. This implies attackers employ consistent tactics across the world, demonstrating their ability to employ a uniform arsenal against various victims.
- An important trait of these attackers is their adept use of a combination of techniques. They employ the ‘Create or Modify System Process: Windows technique Service T1543.003,’ which enables them to escalate privileges. They also use ‘Hijack Execution Flow: DLL Side-Loading T1574.002,’ a tactic commonly employed to evade detection. This strategic combination appears to be a distinctive hallmark of Asian cyber groups.
- The main focus of these Asian groups is cyber espionage, as evidenced by their efforts to gather sensitive information and funnel it to legitimate cloud services or external channels. Although it is uncommon, there are instances where these groups deviate from this pattern, as seen in one of the examined incidents which involved the use of ransomware in the attack.
- The most targeted industries include government, industrial, healthcare, IT, agriculture, and energy.
The systematization of various TTPs used by attackers has led to the development of a specific set of meticulously crafted SIGMA rules, aiding security specialists in detecting potential attacks within their infrastructure.
“In the world of cybersecurity, knowledge is the key to resilience. Through this report, we aim to empower security specialists with the insights they need to stay ahead of the game and safeguard against potential threats. We urge the entire cybersecurity community to join us in this knowledge-sharing mission for a stronger and more secure digital landscape,” comments Nikita Nazarov, Head of Threat Exploration at Kaspersky.
Kaspersky researchers continuously discover new tools, techniques, and campaigns launched by APT groups in cyberattacks around the world. The company’s experts monitor over 900 operations and groups, with 90% being related to espionage. They actively share their latest findings and exclusive insights through the Kaspersky Threat Intelligence Portal (TIP). Kaspersky TIP is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.