State-Aligned Actors Targeting SMBs GloballyVulnerable Small to Midsized Organizations Are Now Favored Victims of APT Actors
State-aligned hackers from Russia, Iran and North Korea are increasingly targeting small and medium businesses globally.
Proofpoint researchers found that advanced persistent threat actors are targeting SMBs, governments, militaries and major corporate entities by using compromised SMB infrastructure in phishing campaigns. Attackers also are launching state-aligned financially motivated attacks against SMB financial services firms and supply chain attacks affecting SMBs.
"Through the compromise of small and medium business infrastructure for use against secondary targets, state-aligned financial theft and regional MSP supply chain attacks, APT actors pose a tangible risk to SMBs operating today," Proofpoint said.
Proofpoint threat researcher Michael Raggi said phishing data indicates SMBs are increasingly the target of state-aligned cyberattacks.
Raggi said that APT actors realize the value of targeting non-enterprise-scale organizations for intelligence they may offer and the softer links in the supply chain that they may represent.
"Proofpoint anticipates seeing a continued rise of SMB targeting throughout 2023 originating from the entire geographic gamut of APT actors that we track," Raggi said.
Proofpoint researchers also observed more instances of impersonation or compromise of an SMB domain or email address over the past year, which includes threat actors compromising an SMB web server or email account.
"These compromises may have been achieved through credential harvesting, or, in the case of a web server, through unpatched vulnerability exploitation," researchers said.
Upon successful compromise, the email address is used to send malicious email to targets and if a web server hosting a domain is compromised, "the threat actor then abused that legitimate infrastructure to host or deliver malicious malware to a third-party target."
Proofpoint previously identified TA473, also known as Winter Vivern, using compromised SMB infrastructure in phishing campaigns from November 2022 through February 2023.
The group was first publicly exposed in April 2021 by DomainTools, which identified a campaign using malicious documents to target "Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican." It named the group "Winter Vivern," based on a malicious macro that called out to a now-defunct directory named "wintervivern" on the
secure-daddy.com file-hosting service to receive command-and-control instructions.
In one of the attacks, threat actors were found scanning for public-facing, hosted unpatched Zimbra web mail servers that were exploited to compromise email accounts of military, government and diplomatic organizations across Europe working with Ukraine to repel Russia's invasion.
TA473 use compromised SMB infrastructure to send emails and use SMBs domains to deliver malware payloads, Proofpoint said. "This actor has compromised the domains of a Nepal-based artisanal clothing manufacturer and an orthopedist based in the U.S." to deliver malware through phishing campaigns," the researchers said.
From January through March 2023, researchers also observed regular impersonation of a medium-sized business based in Saudi Arabia within the auto-manufacturing sector as part of a phishing campaign.
The credential-harvesting phishing campaign targeted private email addresses in the United States and Ukraine and was attributed to TA422, also known as APT28.
"This campaign represents ongoing targeting of Ukrainian entities by Russian GRU-related organizations but interestingly spoofs an entity within the Middle East to target entities based in the U.S. and Europe," the researchers said.
State-Aligned Financial Theft
The researchers observed that financially motivated attacks by the APT actors remain a persistent threat for the financial services sector. North Korean threat actors are known for targeting financial services institutions to steal funds and cryptocurrency.
The United Nations in 2019 estimated that cryptocurrency and online bank heists have enabled Pyongyang to invest $2 billion in its development of nuclear weapons and intercontinental ballistic missiles (see: North Korean Hacking Funds WMD Programs, UN Report Warns).
"These funds are largely utilized to finance different aspects of North Korea's governmental operations. In December 2022, Proofpoint observed a medium-sized digital banking institution in the United States receive a phishing campaign from the North Korea-aligned TA444," the researchers said (see: North Korean Crypto Hackers Keep Nose to the Grindstone).
The threat actor also uses social networking platforms such as LinkedIn to engage with victims before delivering malicious links in a bid to improve its hit ratio. TA444 has demonstrated an understanding of English, Spanish, Polish and Japanese, according to a previous report.
Supply Chain Attacks
Another key trend observed between 2022 and 2023 is the increased level of APT targeting of vulnerable regional managed services providers to initiate supply chain attacks.
Proofpoint researchers said regional MSPs protect hundreds of SMBs but have limited and often non-enterprise-grade cybersecurity defenses, which are more easily exploited by the APT actors. The researchers said "regional MSPs are targeted in phishing campaigns within geographies that align with the strategic collection requirements of APT actors."
The group TA450, also known as MuddyWater and attributed to Iran's Ministry of Intelligence and Security, targeted two Israeli regional MSPs and IT support businesses via a phishing email campaign in mid-January 2023 (see: Iranian APT: New Methods to Target Turkey, Arabian Peninsula).
The emails from a compromised email address at an Israeli medium-sized financial services business included a link to the cloud hosting provider OneHub. Once clicked, this link directed the victim to a Zip archive that contained a legitimate installer executable file for the remote administration tool Syncro.
"While Syncro is a legitimate remote administration tool used in businesses, in this context, once installed on the target host, threat actors would be able to utilize the remote administration tool like a remote access Trojan and conduct additional intrusion activities, likely through both native tools and proprietary malware," the researchers said.
They also said TA450 has an interest in targeting regional technology providers to gain access to downstream SMB users via supply chain attacks originating against vulnerable regional MSPs.