14 DAY TRIAL // Activity of advanced persistent threat (APT) groups reached a new height this year, but security researchers predict that in 2015 the attacks will increase in complexity and frequency, as a larger number of actors will get involved.
In a webinar today, Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, has offered his opinion on how APT attacks will evolve next year and the challenges they may bring, based on analysis and trends observed this year.
More threat actors to join the cyber war
He predicts that large APT groups will splinter into smaller ones as a result of naming and shaming tactics adopted by victim countries, with a direct reference to the five Chinese nationals part of the Comment Crew group who were indicted in the US for breaching the networks of numerous US organizations.
Other groups are also mentioned, Putter Panda, Energetic Bear, Turla or Regin also being on the list. Raiu warns that these cells will continue to work for the same contractor and launch attacks that would be part of a larger operation.
As the number of threat actors carrying out the campaigns grows, so will the number of incidents. However, next year, this could also be due to the fact that more countries have joined the cyber war race, as language resources not usually encountered in APT-style attacks have started to emerge.
Malicious tools will be more persistent
One of the clear trends noticed in 2014 was to adjust the malicious software for the 64-bit systems. As adoption of this platforms continues to grow, malware authors will also adapt their code to work in the new environment.
The complexity of the malicious tools is also expected to increase, with more stubborn persistence techniques that would not be restricted to a single platform but extend to network equipment that relies on an embedded OS to function.
On the same note, Raiu said that a rise in usage of virtual filesystems is likely to occur in APT attacks next year, along with other techniques designed to prevent file analysis.
New data exfiltration methods
As it has been seen in the case of Regin, the threat actors are looking into maintaining stealth for as long as possible and rely on a proxy that would not draw attention to exfiltrate information from the target and to deliver the commands.
With the recently uncovered Inception / Cloud Atlas, the data collected from the victims was stored in accounts for the CloudMe online storage service, along with updated modules for the malware. Since blocking such services in an enterprise is not an option, the issue is a significant one.
Other methods are likely to be seen for removing information from the infected computer, such as use of compromised trusted websites, the WebDAV protocol, DNS requests, via UDP or ICMP.
Operators will seek ways to become more elusive
Dropping false leads about the origin of the attacker in the code of the malware is another trend that might be seen more often in next year’s APT operations. This happened with Cloud Atlas, but Raiu says the attackers did not do a good job about it and left some hints behind.
Other methods to confuse researchers could include use of multiple languages in the malware code (Cloud Atlas has plenty of false flags).
Botnets could play a major role next year too, as APT groups may start creating them to support their operations. Raiu mentioned Animal Farm and Darkhotel, which relied on networks of compromised systems this year.
He did not forget the legal malware created by companies like Gamma International and Hacking Team, whose software has been associated with cyber-espionage campaigns and domestic surveillance. This type of business is a “high-reward, low-risk” one.
The bottom line is that APT groups will try to lower exposure and adopt more advanced techniques to stay under the radar.
