State-Sponsored Hacking Attacks: What Are Advanced Persistent Threats And Who Did They Target in 2022?
In 2022, there was a marked increase in government-sponsored cyber-attacks. Many of these attacks were carried out by what are referred to as Advanced Persistent Threats or APTs. These groups work with governments and may also carry out for-profit illicit activities as well.
2022 saw foreign entities attack other foreign entities in DDoS attacks, spying ops, ransomware attacks, and breaches against critical infrastructure. These attacks initiated major supply-chain disruptions, billions of dollars in damages, and collected volumes of information as part of espionage operations.
With an eye towards what the world may face in 2023, here were 5 devastating APT attacks that took place in 2022:
Table of Contents
China’s APT 41/Double Dragon Steals $20 Million in COVID Relief Funds
In 2022, one of the most shocking APT attacks was carried out by a group known as APT 41 or Double Dragon. This group managed to steal approximately $20 million worth of COVID relief funds from multiple countries in Asia and Africa. The attack specifically targeted banks, government agencies, and other organizations that were distributing relief monies during the pandemic. It is believed that the stolen money was laundered through cryptocurrency wallets, making it difficult to trace and recover.
The Secret Service statement indicated that APT41, which has been active for over a decade, is considered a state-sponsored Chinese cyberthreat group, highly proficient in executing espionage missions and financial crimes for personal gain. Cyber experts and current and former officials from multiple agencies have identified APT41 as the "workhorse" of cyberespionage operations that benefit the Chinese government. As COVID relief funds emerged as a target of opportunity in 2020, this threat became more pertinent than ever.
Iran’s Rampant Kitten/APT DEV-0270 Compromises US Merit Systems Protection Board
In November, the US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory on Iran's Advanced Persistent Threats (APTs). The threat actor, called Rampant Kitten, exploited a well-known Log4Shell vulnerability to infiltrate a VMware Horizon server in February.
This resulted in the compromise of a federal network belonging to the US Merit Systems Protection Board. In response, CISA has warned all organizations who failed to apply Log4Shell remediations against potential indicators of compromise. The Washington Post identified the affected agency as the US Merit Systems Protection Board. These types of attacks highlight the need for continued vigilance and proactive efforts from businesses and governments alike to safeguard critical infrastructure.
North Korea’s Lazarus Group/APT38 Target’s Cryptocurrency
In April, a joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) warned of a cyber threat associated with cryptocurrency thefts by North Korean state-sponsored advanced persistent threat (APT) group known as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
Since at least 2020, this group has been targeting organizations in the blockchain technology and cryptocurrency industry such as cryptocurrency exchanges, DeFi protocols, play-to-earn cryptocurrency video games, venture capital funds investing in cryptocurrency, or individuals holding large amounts of digital currency or valuable NFTs.
The attackers have been using social engineering via various communication platforms to persuade victims to download trojanized cryptocurrency applications. This allows them to gain access to the victim's computer, propagate malware, and steal private keys or exploit other security gaps to initiate fraudulent blockchain transactions.
Iranian APT MuddyWater/APT 34 Targets Public/Private Sector in Asia, Africa, Europe and North America
In April of 2022, government-sponsored cyber attacks from Iranian Advanced Persistent Threat group MuddyWater/APT 34 targeted a range of government and private sector organizations across multiple sectors in Asia, Africa, Europe and North America as part of Iran’s Ministry of Intelligence and Security (MOIS).
Subsequently, in September of 2020, the US federal government sanctioned the Iranian government for its support of cybercrime activities, which they allege are being carried out via several Advanced Persistent Threat (APT) groups.
Specifically, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) designated Iran's Ministry of Intelligence and Security (MOIS) as "engaging in cyber-enabled activities against the United States and its allies," since at least 2007.
Russian APT Actors Target Defense Contractors
From at least January of 2020, through February of 2022, the US Federal Bureau of Investigation, (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA), identified a regular pattern of cyber-attacks against U.S. cleared defense contractors (CDCs) originating from Russian state-sponsored actors.
These attacks employed common but effective tactics such as spear-phishing, credential harvesting, brute force/password spraying techniques and exploiting known vulnerabilities in weakly secured accounts and networks. The attackers also targeted Microsoft 365 (M365) environments with persistence maintained by using legitimate credentials and malware for data exfiltration.
The above attacks caused major disruptions and billions of dollars in damages worldwide. They were carried out for both geopolitical reasons and for monetary gain. It is clear that APTs will remain a threat for years to come and must be addressed proactively so that further damage can be minimized by entities both in the public and private sectors.