Can “Regular” Threat Actors Become Quasi-APTs?

The proliferation of cyber-offensive capabilities has been thoroughly discussed in recent years by academics and think tankers alike. Parallels between this modern cyber arms race and the race to nuclear capabilities that plagued the previous century have been exhausted, in an attempt to encapsulate the rapid expansion and increasing volatility of the cyber threat landscape in recent years. In the past year alone, this escalation has been made blatantly manifest through the spike in ransomware attacks, the deployment of pernicious new malware and the unprecedented surge in cybercrime, cybercriminals and cyber incidents - coordinated and conducted within the illicit underground communities of deep and dark web. Check out our “State of the Underground in 2021” report for more context.

If there was any need to further crystallize this idea of cyber proliferation and its consequences, the latest conflict in Ukraine made the final argument. To understand why the conflict in Ukraine is so significant to our discussion, we need to look back fourteen years, when Russia attacked Georgia during the summer of 2008. Before and after Russia’s invasion, international media outlets reported that Moscow had deviated from the standard norms of conventional warfare, and had been deploying major cyberattacks against Georgian websites and internet infrastructure. This was reported to be a Kremlin-backed, nation-state campaign, one that was considered by many as the “first case in history of a coordinated cyberspace domain attack synchronized with major combat actions in the other warfighting domains”.

Fast-forward to 2022. The first shots fired in the current conflict between Russia and Ukraine were not by firearms, but keystrokes. In this new-age war, the cybersphere is a primary battleground, and advanced threat actor groups are the foot soldiers. This Russian-Ukrainian cyber-battlefield is complex and multipolar, populated by many disparate threat groups, each determined to do their part - and take their share of the winnings. Hence, it is not uncommon to see threat actor groups declaring their latest victories in the ongoing digital battle, be it pro-Ukranian threat actor groups announcing their successful breach of Russian federal organizations or pro-Russian threat actors targeting Western infrastructures. A brief scroll through these groups' twitter profiles and telegram channels is suffice to see how structured and organized they behave.  

What has changed between 2008 and 2022? How can we explain the mass mobilization of threat actors of all levels of sophistication, taking to the cyber-battlefield to play their part in a conventional war between nation-states? It would be simplistic, in my humble opinion, to attribute this massive paradigm shift only to advancements in technology. Instead, I find this external, global change to be deeply connected to the changing internal dynamics of the cybercriminal underground itself. The proliferation of cyber offensive capabilities on the global scale has unfolded in tandem with the proliferation of knowledge  within the cybercriminal underground, allowing threat actor groups to build off one another and ‘leapfrog’ their way forward at a dizzying pace.

‘Leapfrogging’ refers to the process of bypassing the standard, step-by-step path of development, whereby a nation, an enterprise or a person takes advantage of existing opportunities and innovations to skip ahead, accelerating development to jump straight to a leading position of advancement. In the cybercriminal underground, threat actors have access to a multitude of ‘leapfrog’ enablers, able to employ the tools and services developed by their more experienced counterparts to deploy complex attacks that had previously only been possible for those who had followed the step-by-step evolutionary practice of building cyber expertise. Now, there is a clear opportunity for cybercriminals of every level of sophistication to “buy” instead of “make” their arsenal for attack.

This leapfrog phenomenon has advanced rapidly in the cybercriminal underground over the past decade, starting with the introduction of “kits” and “as-a-service” offerings within the illicit underground economy of the dark and deep web. These new offerings allowed threat actors to wholly outsource their tools for attack, with pre-built packages of scripts and tools facilitating anything from DDoS attacks to common vulnerability exploitation. To capitalize on this booming new underground industry, many malware authors have moved to profit on their expertise, providing their skills   “as-a-service” - allowing their customers to cherry-pick their targets while bypassing the tiresome and complicated process of developing sophisticated malware or deploying and maintaining C&C servers to control the malware’s operations during the attack. 

“It’s the economy, stupid”, said the chief strategist of Bill Clinton’s 1992 election campaign. The dark and deep web -- the world’s third largest economy – appears to be in vehement agreement. The demand for quick wins and easy profits has spurred more and more actors to offer new kinds of services in various pricing strategies. One of the more popular services today in the underground market is that offered by Initial Access Brokers, or as we like to call them, IABs. These IABs sell access to thousands of compromised endpoints on a daily basis, allowing cybercriminals to buy their first way into the networks of almost every enterprise and vendor out there. For as little as $10 apiece, threat actors can purchase access and gain a steady foothold in their targets’ systems, attaining a beachhead into highly secured organizations without having to bother with the complex and boresome process of gaining initial access on their own. By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of Advanced Persistent Threat Groups (APTs).

Why is this leapfrog strategy important? Well, if you were a CISO working in a big corporation 5 or 10 years ago, you could have directed your threat intelligence team to focus on a dozen nation-state linked groups, and rest assured that your team has got you covered. Today, this is no longer the case. As cyber capabilities proliferate, trickling from APTs to less advanced threat groups, there are tens of thousands of actors who may be simply one click away from purchasing the advanced capabilities that would allow them to leapfrog into quasi-APT status. 

This means that the CISO of 2022 must maintain constant vigilance, ensuring that their organization has the capacity to track, monitor and remediate threats coming in from multiple focal points. It’s not only the well-known SPIDERs, BEARs and PANDAs anymore, but your average-joe dark web actor or the local anonymous chapter. The question is no longer how relevant and actionable your threat intelligence is, but it’s also how comprehensive and scalable it can be. Simply put: can your cyber threat intelligence continuously track millions of cybercriminal actors every day, and deliver the critical insights you need to block threats in real-time?

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3