APTs in 2021: expect new threat angles, attack strategies


The turmoil brought about by the COVID-19 pandemic will bring along many structural and strategic changes, not only in our daily lives but in the realm of targeted attacks too, due to a far broader attack surface.

Kaspersky’s Global Research and Analysis Team (GReAT) says we can expect new attack vectors to emerge, such as the targeting of network appliances and the search for 5G vulnerabilities. These will happen alongside multi-stage attacks as well as actions against activities that enable cyber attacks, such as zero-day sales.

This forecast was developed based on the changes that GReAT noted during 2020.

Changes in execution

One of the key, and potentially most dangerous, trends that researchers anticipate is the change in bad actors’ approach to the execution of attacks.

Last year targeted ransomware attacks reached a new level through the use of generic malware.

Connections between these and well-established underground networks such as Genesis, which typically trade in stolen credentials, were observed, and Kaspersky researchers believe that advanced persistent threat (APT) actors will start using the same method to compromise their targets.

The company says organisations should pay more attention to generic malware and perform basic incident response activities on each compromised computer to ensure that generic malware has not been used as a means of deploying more sophisticated threats.

Name and shame

Another prediction is that more countries will start using legal indictments as part of their cyber-strategies. Kaspersky’s previous predictions of ‘naming and shaming’ of APT attacks carried out by hostile parties has come to fruition, and more businesses will follow suit.

“Exposing toolsets of APT groups carried out at the governmental level will drive more states to do the same, thereby hurting actors’ activities and developments by burning the existing toolsets of their opponents in an effort to retaliate,” the company says.

It also predicts that an increasing number of Silicon Valley companies will take action against zero-day brokers. In the aftermath of several cases where zero-day vulnerabilities in popular apps were exploited for espionage on a variety of different targets, more tech companies are likely to take a stance against zero-day brokers in an effort to protect their customers and reputation.

Network appliances such as VPN gateways will find themselves targeted more often, due to the remote working trend that isn’t going to end any time soon, Kaspersky says. Harvesting credentials to access corporate VPNs via ‘vishing’ remote workers may also appear.

Changing tactics

Moreover, Kaspersky says demanding money ‘with menaces’ will be on the rise. Ransomware gangs are changing strategies, and more major ransomware players will start focusing their activities and obtaining APT-like capabilities. With the funds the gangs have extorted they will be able to invest into new advanced toolsets with budgets comparable to that of some of the state-sponsored APT groups.

We can expect an increasing number of disruptive attacks resulting from directed orchestrated attacks designed to affect critical infrastructure or collateral damage, as our lives have become even more dependent on technology with a far wider attack surface than before, Kapsersky adds.

Finally, the company expects the emergence of 5G vulnerabilities. As adoption of this technology grows, and more devices become dependent on 5G connectivity, malefactors will have a greater incentive to look for vulnerabilities that they can exploit.

A mercurial world

David Emm, principal security researcher at Kaspersky, says: “We live in the world that is so mercurial that it is likely that events and processes will happen in the future that we have not been able to grasp just yet. The amount and complexity of changes we have witnessed that have affected the cyber threat environment could dictate many scenarios for what is to come ahead.”

Furthermore, Emm says there isn’t a threat research team in the world that has full visibility of the operations of APT threat actors.

“Yes, the world is a chaotic place, but our previous experience shows that we have been able to anticipate many APT developments before, and hence prepare for them better. We will continue to follow this path, understanding the tactics and methods behind APT campaigns and activities, sharing the insights we learn and evaluating the impact these targeted campaigns have. What matters here is to follow the situation closely and always be ready to react,” he ends.