Know thy cyber enemies, let their strengths and weaknesses teach us how to remain resilient and proactive…

In analyzing around one hundred incidents that transpired across different regions worldwide, starting from 2022, cyber researchers have used the Unified Kill Chain methodology to advanced persistent threat (APT) actors’ signature tactics, techniques and procedures (TTPs).

Five specific cyber incidents that had occurred in Russia and Belarus; Indonesia; Malaysia; Argentina; and Pakistan were deemed as a good representation of the geo-distributed nature of APT attacks.

In documenting all the TTPs used by APT groups at each stage of 100 attacks analyzed, the threat report leans heavily on internationally renowned threat analysis tools, practices, and methodologies such as MITRE ATT&CK; F3EAD; Pyramid of Pain; Intelligence Driven Incident Response; and the Unified Cyber Kill Chain.

Apparently, the range of malicious techniques encountered remains limited, allowing researchers to delve more deeply into their analysis.

Key findings

The analysis report offers the following four findings:

    • No regional bias: Asian APTs in the data exhibited no regional bias in target selection. Their victims spanned the globe, posing a challenge to anyone attempting to identify which region was most frequently targeted. This implies attackers employed consistent tactics across the world, demonstrating their ability to employ a uniform arsenal against various victims.
    • Employment of adept combinations of techniques: The APT actors employed the “Create or Modify System Process: Windows technique Service T1543.003”, which enabled them to escalate privileges. They also used “Hijack Execution Flow: DLL Side-Loading T1574.002”, a tactic commonly employed to evade detection. This strategic combination appears to be a distinctive hallmark of Asian cyber groups.
    • Main focus of Asian APT: Cyber espionage was these threat group’s main objective, as evidenced by their efforts to gather sensitive information and funnel it to legitimate cloud services or external channels. Although it was uncommon, there were instances where these groups deviated from this pattern, as seen in one of the examined incidents which involved the use of ransomware in the attack.
    • Most targeted industries: Governments, industrial, healthcare, IT, agriculture, and energy sectors.

The systematization of various TTPs used by attackers has led to the development of a specific set of meticulously crafted SIGMA rules that may be useful to security specialists in their work.

According to Nikita Nazarov, Head of Threat Exploration, Kaspersky, the firm that released its research on APTs TTPs: “In the world of cybersecurity, knowledge is the key to resilience. Through this report, we aim to empower security specialists with the insights they need to stay ahead of the game and safeguard against potential threats. We urge the entire cybersecurity community to join us in this knowledge-sharing mission for a stronger and more secure digital landscape.”