The MVPs of the APT game

In an increasingly interconnected digital landscape, the persistent and sophisticated nature of cyber threats poses an unrelenting challenge to organizations worldwide. As technology advances, so do the tactics of those seeking to exploit its vulnerabilities. Among these threats, Advanced Persistent Threats (APTs) stand out as exemplars of adaptability and ingenuity. As enterprises navigate the evolving complexities of the modern cybersecurity landscape, an in-depth comprehension of APTs becomes paramount. 

Advanced persistent threats continue to dominate the threat landscape. In fact, in an analysis of the first half of 2023, FortiGuard Labs researchers saw significant activity among APT groups, several of which were especially active. And one attack group was particularly troublesome. 

APT activity in the first six months of 2023

In the first half of 2023, our threat researchers found that one-third of all categorized APT groups were active. What do we mean by categorized APT groups? These are the 138 APT groups that MITRE keeps track of as part of its work of supporting the ATT&CK framework. Mapping and assessing the threat landscape requires paying close attention to the aggregate activity of these groups.

We noticed activity attributable to 30% of these groups—41 in total—between January and June 2023. Based on study of the malware genetic code, the most active of these were Turla, WildNeutron StrongPity, OceanLotus, and Winnti.

A closer look at Turla

Turla may be one of the most adept and enduring threat organizations. The group has used a variety of aliases, including Krypton, Uroburos, Snake, and Waterbug. It’s been operating for more than 20 years.

Over 45 high-profile attacks on the energy sector, the media, government institutions, and embassies around the world have been linked to Turla. For years, they have successfully penetrated organizations while remaining undetected, even in heavily monitored environments. Given the progression of the Russian-Ukrainian war, seeing greater activity from this group wasn’t surprising. 

The good, the bad, and your next steps

The good news is that, at least for now, APT activity is still highly targeted. Just a small portion of all organizations were affected by such attacks in the previous six months. APT groups wouldn’t use their cyber weapons in scattershot strikes, so this makes sense. That said, this in no way means you can take your hands off the wheel, so to speak. 

Threat actors aren’t going to slow down anytime soon, especially when organized cybercrime gangs make it easier for them to generate quick cash. Yet there are many steps enterprises can take today to better defend their networks from these threats.

The importance of sharing and using threat intelligence to battle the rising volume and sophistication of cyber threats is greater than ever. To triumph in this cybersecurity conflict, the public and commercial sectors must deepen their sharing of threat intelligence. Without standards for sharing, processing, and reporting, it can be difficult to immediately act on threat intelligence through all-inclusive playbooks—which is required to be effective. 

However, a crucial element of ensuring smooth, prompt, and effective responses is utilizing shared threat intelligence. Today’s defenders have access to a wealth of resources, information, and assistance required to start changing the economics of an attack, all of which serve as robust deterrents against foes.

Understanding attack flows—from initial entry points where attackers gain access to a system, to post-exploitation activities such as privilege escalation and data exfiltration—is also critical for developing effective cybersecurity strategies. This knowledge empowers defenders to anticipate and thwart various stages of an attack, bolstering overall resilience against cyber threats.

Lastly, there has never been a better opportunity to update security teams’ processes and deploy new security technologies. Enterprise networks must be protected both now and in the future by creating and maintaining a thorough defensive strategy that’s tailored to their specific needs.

Be the MVP of security

In a threat landscape where APTs will continue to loom large, the insights gleaned from the first half of 2023 emphasize the critical need for heightened cybersecurity measures. With APT groups displaying significant activity, particularly noteworthy is the resilient Turla group, which has demonstrated remarkable adaptability and sophistication over its two-decade-long reign. Although APT attacks remain targeted, the evolving cybercrime ecosystem demands unwavering vigilance, particularly as we’re observing various cybercrime groups now sharing infrastructure with APT actors. 

To counter these threats, sharing and leveraging threat intelligence is paramount, as is understanding attack flows to fortify defensive strategies. Collaboration, timely response, and the integration of advanced security technologies offer a promising way forward for organizations to secure their networks effectively. Above all else, taking a proactive, platform-centric approach to security is vital. Choose security technologies that are designed to integrate seamlessly with one another, which will ultimately make your detection and response efforts more efficient.