17 January 2022

Cybersecurity year in review: Most notable APT hacks of 2021


Cybersecurity year in review: Most notable APT hacks of 2021

While 2021 has seen no shortage of notable cybersecurity events, it will mostly be remembered for a series of brazen ransomware attacks which made headlines over the past year, such as attacks on the US major oil pipeline Colonial Pipeline, the huge meat processor JBS, the US-based Kaseya, and others. With everything that happened, nation-state actors somewhat faded into the background, but let’s not forget - they are still out there and still pose a significant threat, as we’ll see.

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation-state hacker group, which compromises computer networks belonging to their targets of interest with the intent to conduct cyber-espionage, steal valuable data, or perform other malicious activities. Such threat actor’s motivation can be either political or economic.

Usually, APT groups are high-skilled and well-resourced and use a variety of techniques to reach their goals, such as exploiting well known and zero-day vulnerabilities on vulnerable systems. APT attacks are usually carefully planned, multi-staged and require an advanced knowledge of the organization’s infrastructure, security policies and procedures.

While most APTs use custom-built malware, some have been observed leveraging publicly available tools.

In 2021, we have seen some pretty significant cyberattacks that were linked to state-backed hacker groups, with targets ranging from government entities to enterprises in various industries, such as defense, financial services, legal services, industrial, telecoms, consumer goods, etc.

At the beginning of 2021, security researchers at CERFTA detailed a mobile phishing campaign they attributed to the Iran-linked hacker group known as Charming Kitten, APT35 or Phosphorous. The campaign targeted organizations in the Persian Gulf, Europe, and the US, including think tanks, political research organizations, professors, journalists, and environmental activists with fake text messages from “Google Account Recovery” and fake emails with Christmas content in order to compromise victims’ accounts and steal sensitive information.

Slovak internet security firm ESET shared details about a cyber-espionage campaign, they dubbed “Operation Spalax”, which was aimed exclusively at Colombian government entities and private companies, especially in the energy and metallurgical industries. In the campaign, said to be active since 2020, the attackers used three Remote Access Trojans (RATs) - Remcos, njRAT and AsyncRAT. The researchers said at the time that the attack shared similarities with previous attacks of an APT group targeting the country since at least April 2018, but they did not identify the culprit.

It was also revealed that Lebanese Cedar APT (aka Volatile Cedar), believed to be a Hezbollah-linked group, breached 250 companies worldwide, including in Israel, Egypt, Jordan, Saudi Arabia, the UAE, and the United States. The cyber-espionage campaign, which began in early 2020, affected internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE. The attribution was made based on the discovery of Caterpillar WebShell and Explosive RAT in the majority of compromised networks. Both Caterpillar WebShell and Explosive RAT are custom tools used by Lebanese Cedar.

Another interesting cyber-espionage campaign was spotted by Google’s Threat Analysis Group (TAG). This one targeted security researchers involved in vulnerability research and development at different companies and organizations and was orchestrated by a “government-backed entity based in North Korea.” Posing as security researchers to lure their victims and gain their trust, the attackers created an elaborate scheme, which involved fake research blogs containing analysis of publicly disclosed vulnerabilities, as well as multiple Twitter profiles for posting links to their blog, publishing videos of their claimed exploits and for amplifying and retweeting posts from other accounts under their control.

Several months later, Google detected a similar campaign, in which the same actor set up a new website with associated social media profiles for a fake company called “SecuriElite,” which allegedly provided security services, such as pentests, software security assessments and exploits.

North Korea is among the countries that have been accused of launching cyberattacks seeking to steal coronavirus vaccine-related research and data. In February, South Korea's National Intelligence Service revealed that North Korean hackers attempted to breach the computer systems of the US pharmaceutical giant Pfizer in a search of information related to the development of a coronavirus vaccine and treatment technology.

Early 2021 also saw a widespread hacking campaign involving a set of four zero-day vulnerabilities affecting on-premises Microsoft Exchange Servers, which allowed attackers to gain access to user emails and passwords on affected servers, administrator privileges on the server, as well as access connected devices on the same network. The hack impacted tens of thousands of on-premises email customers, small businesses, enterprises and government organizations worldwide.

First attacks were observed in January 2021 by cybersecurity company Volexity, when it detected suspicious activity from two of its customers’ Microsoft Exchange servers. In March, Microsoft released security updates to address the bugs. The company linked the hacking campaign to a China-linked state-sponsored hacker group Hafnium, known for targeting entities in the United States with the goal of stealing information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

ESET said at the time that it observed several other APT groups, such as the Chinese-backed APT27, Bronze Butler (aka Tick), and Calypso, exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks.

In July, the US and several allies publicly accused hackers affiliated with the Chinese government for the Microsoft Exchange Server hack. In the past, China has consistently denied any form of state-sponsored hacking, instead saying the country itself is a major target of cyberattacks.

Throughout 2021, security researchers observed numerous hacking campaigns bearing marks of a Chinese cyber-espionage actor. One of the most notable attacks involved a breach of at least ten Indonesian government ministries and agencies, including Indonesia’s primary intelligence service, the Badan Intelijen Negara (BIN). The hack is believed to be the work of Mustang Panda, a Chinese threat actor known for its cyber-espionage campaigns targeting the Southeast Asian region. The intrusion was discovered by Insikt Group, the threat research division of Recorded Future, in April this year.

Mustang Panda was also linked to a cyber-esionage operation, dubbed “Operation Diànxùn”, targeting telecommunication companies based in Southeast Asia, Europe, and the US. The researchers believe that the goal of the operation was to obtain information pertaining to 5G technology, and it was likely motivated by the ban on the use of Chinese technology in 5G rollouts in several countries.

Another China-linked APT group known as Naikon had been seen staging cyberattacks against military organizations in Southeast Asia between June 2019 and March 2021. The hackers used the Aria-Body loader and a backdoor called ‘Nebulae’ as the initial step of the attack at the start of the operation. Threat actors included the RainyDay backdoor in their toolset starting in September 2020, and the goals of this operation were cyber-espionage and data theft.

In March, Facebook disrupted a cyber-espionage operation orchestrated by China-backed hackers that was targeting activists, journalists and dissidents predominantly among Uyghurs living abroad.

The threat actor behind this campaign is believed to be a hacker group known as Earth Empusa or Evil Eye. The malicious actor used Facebook to distribute links to malicious websites hosting malware.

More recently, the Hafnium APT, the threat actor behind a widespread Microsoft Exchange hack, has been observed exploiting the Log4Shell vulnerability (CVE-2021-44228) in Apache’s Log4j logging utility. The disclosure of the flaw caused a widespread alarm because Log4j is widely used in commonly deployed enterprise systems. According to Microsoft researchers, who discovered the malicious activity, Hafnium used the flaw to attack virtualization infrastructure.

As for Iranian hackers, they have certainly been busy in 2021. A relatively new player on the global cyber-stage compared to North Korean, Chinese, or Russian ‘colleagues’, Iranian (or Iran-linked) APTs are often viewed as less sophisticated, but what they lack in technical skills they make up for in social engineering trickery. The main objectives of Iranian state-sponsored espionage are organizations in the Middle East, notably Israel, Saudi Arabia, and UAE, as well as dissidents or those considered to be enemies of Iran.

State-backed Iranian hackers are known to invest considerable effort in creating fake personas on social media as part of social engineering tactics to trick potential victims into opening malicious links or attachments. In one such case, a cyberespionage group associated with the Iranian government tried to infiltrate Israeli companies by impersonating HR personnel to lure IT experts and hack into their computers to get access to their company’s data. To achieve their goal, the group, tracked as Siamesekitten, Lyceum, or Hexane, used supply chain tools and a large infrastructure.

In another campaign, TA456 (Tortoiseshell) hackers for years posed as a glamorous Liverpool-based aerobics instructor in order to install malware on the machine of an employee of the US aerospace defense contractor

In May, researchers from SentinelOne published a report on activities of a relatively new player, tracked as Agrius, which was observed targeting Israeli entities with wiper attacks disguised as a ransomware operation. Active since early 2020, the threat actor was initially focused on entities in the Middle East region, but in December 2020 pivoted to Israel.

The Agrius APT rely on both public and private malware families to aid their attacks. For example, they have been planting the open-source ASPXSpy malware on compromised networks along with a previously unidentified ransomware/wiper called Apostle.

Another APT group known as TA453, Charming Kitten or Phosphorus, targeted medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel with phishing emails.

In October, Microsoft warned of an emerging Iran-linked threat actor that is using password-spraying techniques to break into defense technology companies in the United States, Israel and parts of the Middle East.

Tracked as DEV-0343, the group has been attempting to compromise Office 365 accounts since at least July 2021, according to Microsoft.

The company also said that Iranian state-sponsored hacker groups are increasingly hitting IT services companies in India and Israel in attempt to obtain access to their customers’ networks. Microsoft said it has sent over 1,600 notifications to alert more than 40 IT companies of hacking attempts coordinated by Iranian APT groups. This represents a significant rise in attacks, compared to 48 notifications in 2020.

For many years threat actors believed to be working on behalf of the Russian government have been major players on a global cyber-espionage landscape, conducting sophisticated attacks against various targets across the world. Compared to other groups, Russia-linked state-sponsored threat actors typically have more sophisticated tactics, techniques, and procedures (TTPs) alongside custom malware development capabilities and tighter operational security.

One of these is the Nobelium APT, suspected to be behind a massive supply-chain attack against the US-based software developer SolarWinds in December 2020. The attack involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors.

Nobelium, also tracked as UNC2452 (FireEye), Dark Halo (Volexity), SolarStorm (Palo Alto), and StellarParticle (CrowdStrike), focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

Since the SolarWinds hack, the group repeatedly made headlines for their various malicious activities. In May, Microsoft, who continues to track the group’s activity, revealed that Nobelium has targeted over 150 organizations across at least 24 countries since January 2021. The attackers used the Constant Contact compromised account to distribute legitimate-looking phishing emails that contained a link, which, when clicked, inserted a malicious file that planted a backdoor dubbed NativeZone onto a victim’s system. This backdoor allows attackers to perform various activities ranging from stealing data to infecting other machines on the network.

In September, Microsoft said it discovered a new malware used by Nobelium to steal data from compromised Active Directory Federation Services (AD FS) servers, as well as to download and execute additional payloads.

The group also targeted at least 140 organizations in a new round of supply chain attacks. This large-scale campaign has been active since May 2021 and affected Cloud Service Providers, Managed Service Providers, and other IT services organizations. In attacks the threat actors did not leverage exploits for vulnerabilities, but rather they used well-known techniques like password spraying and spear phishing.

Russia-linked threat actors are thought to be behind some of the most high-profile cyberattacks in recent years, but despite all media coverage they do not appear to slow down. For example, in February 2021 the Sandworm APT was named the culprit behind a series of attacks that targeted French entities running the Centreon IT monitoring software, and in July reports emerged that APT29 (Cozy Bear) had compromised the computer systems of the US Republican National Committee (RNC) via a third-party provider.

Back to the list

Latest Posts

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

The suspect registered 240 domains, 50 of which were used as command-and-control domains for the ISRStealer, Pony, and LokiBot malware.
26 May 2022
US automaker General Motors hit with credential stuffing attack

US automaker General Motors hit with credential stuffing attack

Social Security numbers and driver’s license details weren’t compromised, the company said.
25 May 2022
Popular Python and PHP libraries altered to steal AWS keys

Popular Python and PHP libraries altered to steal AWS keys

In both cases the attacker appears to have taken over packages that have not been updated in a while.
25 May 2022