APT Groups don’t go under the grid after a successful attack!

Pierluigi Paganini February 16, 2016

What happened to some of the APT groups behind clamorous cyber attacks? Why they don’t go dark anymore after being outed, a behavior completely different from the past.

I’m sure everyone remembers the Sony attack occurred in 2014, when the US Government blamed the North Korean Government for the attack, materially executed by a hacking group dubbed GOP. In the past, the APT groups behind major attacks went underground for some time until the dust settles in, but now, more and more hacking crews remain active after a big score, using information gathered from the successful attack to target more victims.

Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab. Said expressed his opinion on the Sony hack.

“They didn’t disappear when the dust settled” ha said.

Last week, during the summit in Tenerife, Guerrero-Saade and Jaime Blasco provided some news about Sony hackers:

“It took us two years to correlate all of the information we had  … The same people were launching campaigns using information from the Sony attack,”

Why threat groups don’t remain under the radar after a big score?

Kurt Baumgartner, principal security researcher at Kaspersky Lab argues that in the past  APT groups “would immediately shut down their infrastructure when they were reported on”, “You just didn’t see the return of an actor sometimes for years at a time.”

Baumgartner used the example of Darkhotel, a Korean-speaking attack group mostly known for hacking WiFi networks at luxury hotels, with the purpose of targeting high -evel executives. Even thought Darkhotel its not attacking hotels anymore, they are not hidden neither, in fact in July was discovered that Darkhotel was using a zero-day Adobe Flash exploit (disclosed from the Hacking Team data breach),

“Within 48 hours, they took the Flash exploit down … They left a loosely configured server”.

Darkhotel doesn’t look worried about exposure, “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,”.

It is assumed that several groups have a similar behavior, the Equation Group for example that many experts linked to the NSA is believed has changed communication methods to avoid detection.

“I would assume they are active but just changed their” communications, explained Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.”

Equation Group Targets APT groups

This pattern is found over and over hackers groups, and it looks like notoriety doesn’t stop these groups anymore.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – APT groups, hacking)



you might also like

leave a comment