In wake of the Russian invasion of Ukraine, there have been many spikes in cyberattacks on specific targets across Europe. These include Satcom infrastructure in Ukraine, renewable energy projects in Germany and Norway, and increased reconnaissance attacks in the Czech Republic, Belgium, and Spain. These attacks have followed increased scanning activity and exchange of malware and breach tools by Chinese and Russian APT groups in April this year. With such collaboration, APT groups in both countries have evolved latent capabilities that are only unleashed after specific event thresholds are breached.
The attacks that were logged by Taiwan before the visit of US House Speaker Nancy Pelosi earlier this month targeted government websites, convenience stores, and cafes. Ostensibly these attacks were designed to indicate a high level of irritation over the visit and to demonstrate the ability of Chinese APT group 27 to strike at will across the Taiwan straits in a visible manner.
The APT groups that are operating out of Russia and China are now focusing more on effectiveness and outcomes more than the means. The KPIs tracked by these APT groups include visibility of attacks (media coverage), actual impact, the response from the entity targeted, and impact on government decision-making.
Coming to Estonia, which faced the most intensive cyberattacks on its digital space since 2007, the most recent attacks of August 18th were designed to deliver a clear message to the government of Estonia. The attacks were tied to the removal of a tank monument from the Soviet era in the border city of Narva as per an official communication put out through the Estonian Public Broadcasting ERR.
Also read: How to get started with OT security
The large-scale and sudden DDoS attacks that targeted both public institutions and the private sector did not have the desired effect. E-Estonia is still running and the site was accessible for most of the day except for brief periods of lag. What is worrying as far as these attacks go is the number of websites targeted with custom malware in less than 24 hours. The threat actors seeded common sites to target users and telcos with malware being detected in 137 devices across internet service providers, according to ERR.
In addition to DDoS attacks, the hackers also tried to phish out the personal and banking details of several internet users. The threat actors also tried to target government agencies through private sector organizations. A pro-Russian group has claimed responsibility for the attack while another has claimed credit for facilitating the attack through scans. One of these groups was also behind the attack on Latvian government websites last week.
Latent strike capability from APT groups, a new concern for cyber defenders
In the attacks on Taiwan and Estonia, the actors have used capabilities and tactics that are not so well known. The specific actors involved are also shielded from any exposure till the actual attack. Using various permutations and combinations of actors from different APT groups. Such teams are put together for specific projects and disbanded after the attacks are executed so as not to attract retribution attacks.
Characteristics of latent capabilities
- These capabilities evolved in a hurry or over years but are not used during routine attacks
- Such capabilities are backed by extensive collaboration among APT groups. We have seen such collaboration among Chinese, Russian, and North Korean groups in the recent past. At least one APT group based in Iran is also showing signs of developing latent capabilities in association with a yet-to-be-identified international threat actor
- At any given point in time, there are multiple groups put on standby for such attacks. The group that is finally allocated the project may be chosen at random to prevent information from leaking out or drawing attacks from other adversarial groups/APT groups
- In the next few months, such attacks may target more entities and governments
Our Decoy and Deception solution can keep you a step ahead of hackers and bad actors. Learn more about this offering here: Decoy and Deception.
Sign up for a threat assessment now to see what your threat environment looks like.