One year after the start of the pandemic, ESET reveals new research on the activities of APT group LuckyMouse and explores how governments can address major cybersecurity and digitization challenges
One year after the pandemic began, ESET reveals new research on the activities of the LuckyMouse APT group and explores how governments can address major cybersecurity and digital challenges
Earlier this year, the notorious APT group LuckyMouse (also known as Emissary Panda or APT27) began exploiting multiple zero-day vulnerabilities in Microsoft Exchange Server. Their target was cyber espionage on several government networks in the Middle East and larger organizations in Central Asia. The group used this access to email servers and compromise of Microsoft SharePoint to inject a freshly updated modular toolkit called SysUpdate. As ESET describes in a new report, it was designed to deliver malicious functionality on demand while resisting analysis as much as possible.
If you still doubted the extent of the current cyber threat landscape for governments around the world, this example illustrates it vividly. Fortunately, governments are not alone in facing the danger. Cybersecurity companies are in a unique position to provide advisory services to the public sector. Not only does ESET have the technical capabilities to support cyber defense, but as a long-time target of sophisticated threat actors, it can also report first-hand insights into what works and what doesn’t.
A year like you have not seen before
The LuckyMouse campaign, which ESET refers to as “EmissarySoldier,” was active for much of 2020 and into 2021. It is just the tip of the iceberg. Both in terms of attacks on governments and in terms of the general cyber threat situation, the past year was a novelty, mainly also because of the Corona pandemic. Cybersecurity events and attacks had unfortunately had a major impact on consumers, critical infrastructure, and society itself, which governments are obligated to protect. They should also be aware of this: In the coming years, the impact and threats may well become even greater.
The pandemic was inevitably accompanied by a new global wave of digitization. Investments in cloud infrastructures and applications, laptops, and remote work devices were essential to supporting public servants in the home office or health departments in their work. In Germany, the immanent need for digitization in healthcare became even more apparent in 2020, and projects such as the Corona warning app showed that there are some implementation difficulties to contend with in the process.
With the expansion of digital infrastructure comes an increase in the attack surface for cyberattacks for governments and agencies, as well as for businesses. This was relentlessly targeted by opportunistic threat actors. Distracted home workers were bombarded with phishing emails that exploited an insatiable appetite for the latest Covid 19 news. Remote work infrastructure has been scoured for vulnerabilities and attacked with stolen, forged or cracked remote credentials. And the security teams responsible for them have had their own organizational challenges to contend with in the home office.
From cybercrime to cyber espionage
Cyber threats to government agencies are increasingly coming from cooperating criminal groups. Just consider the close collaboration between Trickbot (whose operations were disrupted in a global operation involving ESET), Emotet (whose botnet was recently disrupted), and sophisticated ransomware groups like Ryuk, which used access to botnets to attack their victims. Unfortunately, governments and the security industry are not always willing to cooperate on cybersecurity in the same way.
The second main source of cyberthreats is nation-state actors – although the line between them and traditional, financially motivated cybercriminals remains blurred. Hostile nations, at any rate, recognized the unique opportunity and did their best to profit from otherwise-employed government IT teams. Primarily intended to steal COVID-19 vaccine information from rival states.
The bad news for Western governments is that such attacks by groups such as Gamaredon, Turla, Sandworm (and their subset TeleBots, monitored by ESET) and XDSpy continue to be successful. In addition to using common malware from the cybercriminals’ arsenal, these groups are researching and working on their own attack tools, such as Crutch, a previously undocumented Turla backdoor discovered by ESET.
Increasingly sophisticated: supply chain attacks
Perhaps among the most disturbing developments in recent months were the revelations about the SolarWinds campaign. However, this is just one of several supply chain attacks we’ve identified over the past year. Others emanated from the Lazarus Group, which deployed hacked security add-ons, targeted regional chat software, like Operation Stealthy Trident, or compromised a government certification authority, like Operation SignSight.
In fact, ESET detected as many supply chain campaigns in the fourth quarter of 2020 as the entire security industry has detected annually in the past. The threat from such attack vectors has increased as governments increasingly use and provide digital services and streamline processes. However, you need to seize this moment to fight back with an improved cybersecurity strategy fit for the post-pandemic world.
The future starts here
The question is where to start. Based on our own experience as a target of threat actors, we have learned how important basic security measures are to securing organizations. These days, the first step should be to understand where your most important assets are located. Whether it’s the laptop for the home office or a cloud server, it’s about making sure they are protected and properly configured at all times. Rapid patching, regular backups, endpoint protection and “zero trust” access for all home workers should be part of the equation. After all, the workforce is your most exposed front in the war against cybercrime.
Also, follow international standards such as ISO 27001 to implement best practices for information security management. This is a good starting point for addressing key regulatory compliance needs. If you’re concerned about how to prioritize so many security activities in the ever-changing security landscape, you can use risk management and measurement as a guide. Another important step is to place greater importance on security in one’s software development lifecycle (SDLC). Here’s how to accelerate digital transformation without increasing cyber risk.
The past year has been eye-opening in many ways. For IT teams in government agencies, however, there is no turning back. Remote working, greater use of the cloud and digital infrastructure are the new reality. As well as sophisticated criminal attacks and those carried out by state actors. It’s time to find a way through this darkness, using proven security techniques, products and current research to stay one step ahead of attackers.