APTs and Defending the Enterprise in an Age of Cyber Uncertainty

In recent months, there has been a marked uptick in nation-state cyber activity. During the last week alone, we’ve learned that Chinese hackers stole information from Spanish centers working on COVID-19 vaccines, that the US Justice Department have indicted five Chinese nationals (and two Malaysian ones) who targeted over 100 companies, organizations, and individuals in 14 countries, that three Iranian nationals have been indicted on charges of hacking US aerospace and satellite companies, and that APT39 has been spying on Iranian dissidents. Last week, two other Iranian hackers were also indicted for defacing multiple websites with pro-Iranian propaganda.

This surge in nation-state hacking activity is not a blip but a discernible trend. Attacks attributed to nation-state backed APTs have increased not only in terms of volume but also in scope and sophistication. The problem has been exacerbated because of COVID-19 and its impact on the global economy and international relations.

Concerns about APTs used to be a niche topic discussed primarily by Homeland security experts and the cybersecurity industry, but now it has reached mainstream awareness, as can be seen by statements from US, UK and other Western government officials. Most recently, the Australian Defence Minister Linda Reynolds made a public statement expressing concerns that malicious cyber attacks against Australian businesses and government agencies from a state-based actor, believed to be China, had increased over the past two months.

Making Sense of a Chaotic World

Reading all these headlines can be confusing. Who is attacking who, why and how? Let’s try to break down the different nation-state activities in cyberspace.

Sabotage – The virtual can break out into the physical when nations use cyber means to cause damage to computer systems or physical systems of other nations. Attacks on critical infrastructure have increased sharply in the last two years. Among them, a tit-for-tat between Israel and Iran: an Iranian attack on Israel’s water infrastructure led to Israeli retaliation against the port of Shahid Rajaee, a reminder—should anyone have forgotten stuxnet—that nations are not averse to launching cyber attacks with destructive force on those they perceive as enemies.

If you’re in any one of the 16 critical infrastructure sectors, you could find yourself directly or indirectly in the line of fire from sabotage attempts.

Learn more about the 16 critical infrastructure sectors here.

Classic Espionage – Good old-fashioned spying is a much-more common activity than sabotage. Nations have been spying on each other since forever, but today much of the old ‘spy-craft’ activities are conducted in cyberspace. Data theft is easier, cheaper and relatively risk-free when you’re behind a keyboard hacking into a server in a different country and protected by the laws and security services of your own government.

Organizations holding data that could be sensitive to national security issues or working with personnel or contractors who have high profiles need to harden their security to prevent unauthorized access or leakage.

Global Political Influence – Nations have long-used psyops to gain an advantage over other countries, but cyberspace has given them the means to do so on a scale that was never dreamt of before. Nations can interfere with political processes in other countries with little regard and great reward. For example, nation-state actors meddling in the Scottish independence referendum, UK Brexit referendum, US 2016 elections, and, inevitably, the upcoming 2020 US elections are well-documented.

Combating this kind of interference has to be undertaken at a national security level, but organizations can also step up their vigilance to ensure that they are fully aware of partners’, contractors’, and clients’ backgrounds and credentials.

Regional Politics – Nations also want to exert strength in cyberspace to resolve (or escalate) regional conflicts. Chinese cyber attacks on Indian entities followed a skirmish between the two nations resulting in dozens of casualties in the mountainous border region of Ladakh. Ukrainian security services reported in 2019 that Russian-backed Gamaredon APT had repeatedly targeted Ukrainian military and law enforcement agencies and individuals. Gamaredon reportedly launched at least 482 cyber attacks against Ukrainian critical infrastructure targets in a Russian-backed campaign to pursue a proxy-war in cyberspace without incurring the political fallout of an actual, boots-on-the-ground, military campaign.

Businesses and organizations with political links should follow similar guidelines for protecting data as federal contractors.

Learn more about guidelines for federal contractors here.

Industrial Espionage – Unlike ‘classic’ espionage, this activity is specifically aimed at closing the economic gap between nations, by stealing Intellectual Property and then using it to either copy and reproduce technology or gain other unfair commercial advantage. China has been widely accused of engaging in spying on Western businesses, government agencies and technology companies for just this purpose. For example, desiring to build its own stealth jet, the oriental superpower is believed to have stolen the proven design of the US F-35 to shorten development and “time to market”. It’s been estimated that theft of American trade secrets by China costs the US somewhere in the region of $300 billion to $600 billon every year.

While high-tech organizations are likely well-aware of the value of their IP, universities and other academic institutions with low-budgets for cyber security may not be aware of the threat of IP and research data theft.

Learn more about the threat to educational institutions and how to defend them here.

Crime – Some nations are under extreme financial burden, made worse by international sanctions, so they resort to cybercrime to fill their coffers. North Korea is notorious for utilizing cyber crime for such purposes, and recently launched yet another campaign aimed at stealing money from US banks and ATMs. Other APT Lazarus campaigns have focused on stealing cryptocurrencies and impersonating cryptocurrency exchanges. Unlike many other APTs, Lazarus writes malware that targets macOS users, too, as Apple’s platform is increasingly used by C-suite executives and others wary of the plethora of Windows malware.

Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.
APTs have learned lessons from cyber criminals and vice versa. SentinelLabs recently uncovered how Lazarus APT leverages TrickBot crimeware to target organizations for financial gain.

Learn more about how APTs partner with cyber criminals to target organizations here.

APTs: Opportunities in 2020 and Beyond

The present COVID-19 pandemic has created powerful opportunities for nations to hack and spy on one another. Quite aside from the power of phishing lures related to Coronavirus themes, the race to be first to obtain a vaccine has led to a number of incidents of espionage related to stealing IP from research laboratories. Based on recent evidence, it is likely that we will see further APT campaigns trying to take advantage of the security vulnerabilities brought about by workplace disruption – from office to home and back again – that at present do not seem to have any end in sight, and will certainly extend into 2021 at least.

Aside from pandemic-related matters, 2020 is a year that has seen widespread political, social, economic and climate disruption in the US, and to a certain extent in the UK and Europe, also. All these are grist to the mill for cyber threat actors, who will seize on any opportunity to leverage current events to further their campaigns. And of course, the upcoming US elections will likely result in an increase in related cyber activities, such as hacking attempts against politicians, political parties, voter registries, voting sites and voting machines.

Defending the Enterprise in an Era of Cyber Uncertainty

It sounds like a grim picture, but enterprises are far from helpless or alone. Recent sanctions imposed on Iranian hackers by the US and proposed EU sanctions against Russian hacking, joint announcements by officials in countries like US and UK (such as a recent statement blaming China, Iran and Russia in attempts to steal COVID-19 vaccine research) signal greater international cooperation that will hopefully help in reducing such destructive activities.

There are a number of initiatives to protect healthcare institutes during COVID-19 from cyber threats, and partnerships between nations, law enforcement agencies, and public-private collaboration efforts that are also being developed to improve enterprise cyber security against advanced persistent threat actors.

At an organizational level, the time when it was possible to believe your organization may not be “interesting” to advanced attackers is well and truly behind us. Nation-state actors are hoovering up masses of data related to organizations and individuals simply because they can and because they never know when it might be useful.

7 Lessons Every CISO Can Learn From the ANU Cyber Attack

These nation-state actors rely heavily on social engineering to obtain credentials, deliver their payloads via emails (usually hidden within documents or images) and infect endpoints in order to obtain access to data and then exfiltrate it.

Given the diverse and increasing number of threats, companies need to ensure that they conduct full risk assessment, develop a security plan, including incident response and business continuity contingencies, and deploy trusted technological solutions to ease the burden on staff.

With phishing the number one vector in most compromises, phishing awareness training backed by endpoint security software that can recognize known and unknown threats is a priority.

For the increasing number of companies that are utilising the cloud, Kubernetes and containers, and struggling to keep on top of the ever-changing hardening configuration needed, workload protection is also vital.

Automated Application Control for Cloud Workloads
Protect cloud-native workloads with advanced lockdown capabilities that guarantee the immutable state of containerized workloads.


It wasn’t all that long ago that the very existence of APTs was something shrouded in myth and secrecy, but with public disclosures and leaks of APT toolkits now in the public domain, it seems nation-state actors are not nearly so shy or retiring as they once were. Discussion of APT activity is now part of mainstream cyber discourse, with all sides seemingly content to openly acknowledge that cyber warfare between nations is part of the ‘new normal’ that will be with us for some time to come.

Businesses need to understand that in our interconnected world, there is no such thing as being either ‘invisible’ or ‘uninteresting’ to advanced cyber attackers. Know it or not, like it or not, if you’re online, storing and processing data, and engaged in any kind of commercial relationships, there’s an APT cyber threat actor out there interested in you, your data, your product, your clients and/or your providers.

While that might sound scary, fortunately APTs and their tactics, techniques and procedures are also no longer shrouded in mystery. APTs are just another threat actor we all have to deal with. We are not alone in this fight, and we are not defenceless, so long as we first recognize the threat and then take appropriate measures.

If you would like to see first hand how SentinelOne’s Singularity platform can help defend your organization against advanced threat actors, contact us today or request a free demo.