• United States



CSO Senior Writer

SMBs and regional MSPs are increasingly targeted by state-sponsored APT groups

News Analysis
May 24, 20235 mins
Advanced Persistent ThreatsCyberattacks

Research shows a shift toward advanced persistent threat actors compromising smaller organization, in part to enable other attacks.

Advanced persistent threat (APT) attacks were once mainly a concern for large corporations in industries that presented cyberespionage interest. That’s no longer the case and over the past year in particular, the number of such state-sponsored attacks against small- and medium-sized businesses (SMBs) has increased significantly.

Cybersecurity firm Proofpoint analyzed its telemetry data more than 200,000 SMB customers over the past year and saw a rise in phishing campaigns originating from APT groups, particularly those serving Russian, Iranian, and North Korean interests. The end goal of the attacks varied from espionage and intellectual property theft to destructive actions, financial theft, and disinformation campaigns. SMBs are compromised so that attackers can impersonate them in other attacks and abuse their infrastructure.

“Many organizations attempting to secure their network often focus on business email compromise (BEC), cybercriminal actors, ransomware, and commodity malware families that are commonly encountered in the emails received daily by millions of users worldwide,” the Proofpoint researchers said in their report. “Less common, however, is a widespread understanding of advanced persistent threat actors and the targeted phishing campaigns they conduct. These skilled threat actors are well-funded entities associated with a particular strategic mission.”

Infrastructure hijacking by APT groups

APT groups are known for their highly targeted and well-crafted phishing emails that are the result of deep research into their intended targets. These groups have the time and resources to scour LinkedIn for employee profiles, understand roles and departments inside organizations, identify external contractors and business partners, understand the topics, websites, and events that would be of interest to their targets and more.

This type of information is vital to crafting credible email lures, but what’s even more effective is the targets receiving such emails from companies they know or links to websites they have no reason to be suspicious of. Proofpoint has seen a growing number of cases where APT groups compromise email accounts associated with SMBs or their web servers. The techniques used include credential harvesting or exploits for unpatched vulnerabilities.

“Once [a] compromise was achieved, the email address was then used to send a malicious email to subsequent targets,” the researchers said. “If an actor compromised a web server hosting a domain, the threat actor then abused that legitimate infrastructure to host or deliver malicious malware to a third-party target.”

One prominent group that uses such tactics is known in the security industry as Winter Vivern, TA473 or UAC-0114, and is believed to serve Russia’s interests based on its target selection and location government agencies from Europe and the US with a strong focus on countries that offered assistance to Ukraine in the ongoing conflict. According to Proofpoint’s data this group sent phishing emails to its targets from compromised WordPress websites and used compromised domains belonging to SMBs to host malware payloads.

“Notably, this actor has compromised the domains of a Nepal-based artisanal clothing manufacturer and an orthopedist based in the US tri-state area to deliver malware via phishing campaigns,” the researchers said.

Another Russian APT group that impersonated SMBs in its phishing campaigns is APT28, which is believed to be the hacking arm of the Russian military intelligence service, the GRU. In one campaign targeting Ukrainian entities as well as other targets in Europe and the US, the group impersonated a medium-sized business from the auto manufacturing sector based in Saudi Arabia.

A group tracked as TA499, Vovan, and Lexus, that’s believed to be sponsored by the Russian government targeted a medium-sized business that represents major celebrity talent in the United States. The campaign’s goal was to convince an American celebrity to have a politically themed conference call about the Ukrainian conflict with supposedly Ukrainian President Volodymyr Zelensky.

APTs need money, too

APT groups have historically engaged in attacks whose goals have been either the theft of sensitive information or sabotage. Stealing money has never been high on their agenda with few exceptions: groups from countries that are under severe economic sanctions such as North Korea. “APT actors aligned with North Korea have in past years targeted financial services institutions, decentralized finance, and block chain technology with the goal of stealing funds and cryptocurrency,” the Proofpoint researchers said. “These funds are largely utilized to finance different aspects of North Korea’s governmental operations.”

In December, a North Korean APT group launched an email-based attack against a medium-sized digital banking institution from the United States with the goal of distributing a malware payload called CageyChameleon. The rogue emails impersonated ​​ABF Capital and included a malicious URL that initiated the infection chain.

Reaching SMBs via the service supply chain

SMBs are also targeted by APT groups indirected, through the managed services providers (MSPs) that maintain their infrastructure. Proofpoint has seen an increase in attacks against regional MSPs because their cybersecurity defenses could be weaker than larger MSPs yet they still serve hundreds of SMBs in local geographies.

In January, MuddyWater, an APT group attributed to Iran’s Ministry of Intelligence and Security, targeted two Israeli MSPs and IT support businesses via emails that contained URLs to a ZIP archive that had an installer for a remote administration tool. The emails were sent from a compromised email account of a medium-sized financial services business based in Israel. In other words, this is the case of an SMB compromise being leveraged to target MSPs with the likely goal of gaining access to even more SMB networks.

“Proofpoint data over the past year indicates that several nations and well-known APT threat actors are focusing on small and medium businesses alongside governments, militaries, and major corporate entities,” the researchers concluded. “Through the compromise of small and medium business infrastructure for use against secondary targets, state-aligned financial theft, and regional MSP supply chain attacks, APT actors pose a tangible risk to SMBs operating today.”