Folks usually relate to APTs about the same way we relate to espionage in general: It\u2019s certainly a big deal, but it won\u2019t hit us mere mortals, right? Most of us don\u2019t carry any significant industrial or government secrets on our phones and don\u2019t work with classified information on our computers, so why would we be of interest to them?<\/p>\n
Well, folks are mostly right. It\u2019s very unusual for the average person to be targeted by a nation-state\u2013sponsored actor, but we can still be collateral damage. Daniel Creus of Kaspersky\u2019s Global Research and Analysis Team (GReAT) spoke on that topic recently in Barcelona. This post quickly recaps it and describes the three ways ordinary people can run afoul of an APT attack.<\/p>\n
In comparison with smaller actors, APTs have enough money for a bunch of zero-day exploits, including the ones that make remote watering hole<\/a> attacks possible. Research by Google Project Zero in 2019<\/a> revealed that one actor used as many as 14 different vulnerabilities in 5 different exploit chains to infect their targets with spyware.<\/p>\n Some of these vulnerabilities were used to remotely infect iOS users who visited specific politics-related websites. They ended up with spyware on their phones. The thing is, the actor did not distinguish among website visitors, meaning that all<\/em> iOS users who visited the site got infected, regardless of whether they were of any interest to the actor.<\/p>\n And that was hardly the only APT attack that involved a watering hole. For example, one of the attack vectors of the infamous NotPetya (aka ExPetr)<\/a> started with the infection of a government website. When users visited the website, malware was downloaded and executed on their computers. You may remember that NotPetya had tremendous collateral damage.<\/p>\n So, one of the problems with APTs is that threat actors may have no interest in targeting you in particular, but if you happen to visit the wrong website or download the wrong app, you will get infected nevertheless, and the private information from your device will be exposed to them \u2014 or damaged, in APT-related ransomware cases such as NotPetya.<\/p>\n Among other things, APTs often seek the secrets of other APTs. They tend to hack each other and sometimes leak the tools that their foes use. Other, smaller and less advanced actors pick them up and use them to create malware, which sometimes gets out of control. Remember, the infamous WannaCry wiper<\/a> was created using EternalBlue, one of the exploits leaked by ShadowBrokers when they decided to publish the Equation Group\u2019s arsenal of cyberweapons.<\/p>\n More threats, including NotPetya\/ExPetr, Bad Rabbit<\/a>, EternalRocks, and others, relied on the EternalBlue exploit as well. One leaked exploit resulted in a series of several huge epidemics and many smaller events that together affected hundreds of thousands of computers and disrupted the work of numerous businesses and government agencies around the world.<\/p>\n In summary, the second problem ordinary people face with APTs is that threat actors create really dangerous tools and sometimes fail to contain them. As a result, these dangerous things can end up in the hands of cybercriminals \u2014 of varying degrees of competence \u2014 who don\u2019t hesitate to use them, sometimes affecting lots of innocent people.<\/p>\n As we mentioned above, the actors behind APTs have a tendency to hack each other. Sometimes they publish not only the tools they loot, but also any information their foes harvested using those tools. For example, that\u2019s how the data harvested by the infamous cyberespionage tool ZooPark<\/a> became publicly available.<\/p>\n In the past two years, as many as 13 stalkerware vendors either were hacked or left the information they collected exposed online, on an unprotected, publicly available Web server. Leaks afflict more serious actors as well; the creators of the notorious FinFisher were hacked<\/a>, and the even more notorious Hacking Team<\/a>, which used to develop surveillance tools, has also been hacked.<\/p>\n So, there\u2019s the third problem: Even if an APT has nothing to do with average users, even if it just stockpiles their information without using it against them, if that APT leaks data, smaller fish will gladly feed on that information to extort or to search for private data \u2014 from credit card numbers and document scans all the way to contact info and compromising photos.<\/p>\n\n Although APTs are significantly more sophisticated than the average malware, the same techniques we use against common threats help protect against APTs.<\/p>\n <\/p>\nCollateral damage scenario #2: Serious toys in cybercriminals\u2019 hands<\/h2>\n
Collateral damage scenario #3: Leak of collected data<\/h2>\n
How to stay safe from APTs<\/h2>\n
\n