Cyberespionage groups in Asia Pacific (APAC) are not only after confidential data anymore as they are now also going after vulnerable banks in the region to steal money to fund their operations.
"This year, we have monitored the tectonic shift in APT [Advanced Persistent Threat] actor's behaviour. These groups who are initially data-hungry are now going beyond traditional cyberespionage. They added money-stealing on their attack menu as they hunt for vulnerable banks in the APAC region which they can infect mostly through the rising epidemic," said Yury Namestnikov, head of Research Centre of Global Research and Analysis Team (GReAT) of Kaspersky Lab in Russia.
The global cybersecurity company revealed that active APT groups such as the Lazarus, Cobalt Goblin, and other groups that use Carbanak-style attacks have successfully breached some financial institutions in Bangladesh, Hong Kong, Indonesia, Malaysia, Philippines, South Korea, and Vietnam.
The Lazarus Group was allegedly behind the hacking of Sony Pictures in 2014 and the Bangladesh Bank heist in 2016. Similarly, Carbanak victimises financial institutions but with the sole intention to steal money. The group made headlines in 2015 after it stole US$1 billion in some banks in Russia, Ukraine, Germany, United States of America, and China.
Kaspersky Lab said the exact monetary losses from financial institutions in the region have yet to be identified but they were able to prevent breaches for their bank clients before they lost money.
Meanwhile, other systems linked to financial institutions such as cryptocurrencies, automated teller machines (ATMs), and financial messaging service provider SWIFT could also be points of attack of the cyberespionage groups.
"Actors are switching towards using legitimate software instead of deploying unique malicious programmes, which allow them to perform attacks stealthy. Also, they penetrated the networks by supply chain attacks: in last three months, there were four huge incidents of this similar pattern. In terms of monetisation, it could be attacks against ATM infrastructure, SWIFT servers or databases with transactions and debit/credit cards information," said Namestnikov.
Protection against APTs
Vitaly Kamluk, director of GReAT in APAC, imparted the following tips on how businesses can protect themselves against APT groups, at the recent Kaspersky Lab Cybersecurity Weekend.
- Raise cyber awareness in the organisation.
Since people are the biggest weakest link in the security chain, it is imperative to educate them on how cyberattacks work and how they can mitigate them.
"Use threat intelligence proprietary reports created by us to learn about the latest attackers. Simulate attacks in your networks, simulate the presence of an APT attacker, make it real, and educate people not to open every file they see, which is critical," added Kamluk.
- Use decent security software and control updates
With the plethora of cybersecurity software in the market claiming to be effective, Kamluk advised organisations to be extra careful of choosing the products and vendors to trust.
"Make sure you update your systems and verify if the update works. We've seen banks being compromised by Lazarus because they forgot to verify that all the updates work; even though they self-update, the updates did not reach the internet. They did not verify it, and the [system] remained unpatched for one year until they got breached by this major gang," he furthered.
Kamluk added that software whitelisting could also help prevent cyberattacks. "Software has to be very carefully handled from source and until you stop using it, you have to control the integrity of the software and the list of applications that are running on all your systems; that's why strict whitelisting of software is essential."
- Monitor and investigate
Businesses must put equal monitoring and focus on both major and minor security events to mitigate wider impact to the organisation.
Kamluk explained that "even minor events like discovery of adware in the network may actually be sign that something suspicious is going on that may not be even adware...Go to the root cause and investigate. [Find out] how did it get there, how it started and who was responsible for it."
Sign up for CIO Asia eNewsletters.