For the past several years, an increasing number of cyberecrime groups have adopted techniques and procedures traditionally used by state-sponsored actors. This trend has caught many organizations unprepared, especially small and medium-sized businesses whose defenses are generally focused on regular malware.
The term advanced persistent threat (APT) is typically used to describe targeted attacks where hackers compromise systems with custom or hard-to-detect tools and then perform lateral movement using stealthy techniques that often involve manual hacking. This type of approach has historically been used by groups interested in espionage with the goal of remaining undetected for extended periods of time so they can observe and steal as many secrets as possible.
Meanwhile, cybercrime groups were known to use malware bought from underground markets, to exploit known vulnerabilities, to launch widespread attacks, and to generally focus on getting a quick return on their investment rather than being stealthy. First and foremost, cybercrime groups differentiated themselves from espionage ones by having a financial motive like stealing money directly from victims’ accounts, stealing data that could be monetized in some way, forcing victims to pay ransoms and fake fines and so on.
However, the majority of significant cybercrime attacks observed recently used APT techniques, so the technical borders between them are disappearing and these groups are learning from each other, Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, tells CSO.
Now, some cyberespionage actors regularly use commercial and publicly available malware to complicate attribution efforts and there are cybercrime groups for whom stealthiness and manual hacking have become important components in their operations. The North Korean Lazarus group, for example, is an unusual APT group that used to engage in espionage and sabotage, but which has transitioned to financially motivated attacks. Over the past few years, the group has hit central banks and cryptocurrency exchanges around the world, possibly in an attempt to steal funds for the North Korean government, which has been under global economic sanctions for a long time.