The lines between state-sponsored Advanced Persistent Threat (APT) attacks, cybercrime, and hacktivism are increasingly becoming blurred. This convergence has created a complex landscape that makes it difficult to determine the motives and origins of cyberattacks. In this article, we will examine the interplay between these different forms of cyber activity and their implications for organizations, governments, and individuals.
1. State-Sponsored APT and Cybercrime
Advanced Persistent Threat (APT) attacks are a form of cyber attack that is typically executed by state-sponsored actors. They are long-term, targeted attacks that aim to steal sensitive information or install malicious software. APT attacks are often more sophisticated than other forms of cybercrime, making them particularly dangerous.
However, the distinction between APT attacks and cybercrime is becoming increasingly blurred. For example, APT actors may engage in cybercrime to fund their activities, or cybercriminals may use APT-style tactics to carry out their attacks. This convergence makes it more difficult to determine the motives of an attacker, and it also creates new challenges for organizations that need to defend against these types of attacks.
1.1 FIN7 : boosting cybercrime operation with APT-like modus operandi
FIN7’s combination of APT tactics and cybercrime tools and modus operandi illustrates the increasing convergence between state-sponsored APT attacks, cybercrime, and hacktivism, as the lines between these categories continue to blur.
They are considered to be at the intersection of APT (Advanced Persistent Threat) and cybercrime because they use a combination of APT-style tactics, such as persistent and targeted attacks, and the tools and modus operandi of traditional cybercriminals, such as data theft and ransomware.
In their attacks, FIN7 often begins with a spear-phishing email campaign to gain initial access to the target’s network, using social engineering tactics to trick the target into downloading malware. Once they have gained access, they use a combination of APT-style tools and techniques, such as custom-built backdoors, to maintain persistence and steal sensitive data, such as customer information and financial records.
In addition to data theft, FIN7 is known to use ransomware as a secondary means of monetizing their attacks, threatening to destroy or publish the stolen data unless a ransom is paid. This use of both APT tactics and cybercrime tools and modus operandi makes FIN7 a unique and dangerous threat, as they are able to evade detection and maximize their profits through a multi-faceted approach.
1.2 Lazarus : the cyber-corsair that spy and steal financial assets
Lazarus serves as a prime example of how state-sponsored threat actors are increasingly leveraging the tactics, techniques, and procedures (TTPs) of APT attacks to carry out financially motivated cybercrime.
ne of the most notable examples of Lazarus’ intersection between APT and cybercrime is their role in the SWIFT cyber attacks. In 2016 and 2017, Lazarus was believed to be behind a series of attacks against banks in multiple countries, where they used a combination of spear-phishing and malware to compromise the banks’ systems and steal millions of dollars through fraudulent transfers via the SWIFT financial messaging system.
In addition to their role in the SWIFT cyber attacks, Lazarus has also been implicated in several cyberattacks targeting cryptocurrencies, including the theft of billions of dollars worth of cryptocurrencies from multiple exchanges. This combination of financially motivated cybercrime with advanced APT-style tools and techniques highlights the blurred lines between APT and cybercrime, and demonstrates why Lazarus is considered to be at the intersection of the two.
2. Cybercrime and Hacktivism
Cybercrime and hacktivism are two forms of cyber activity that are often confused with each other. Cybercrime refers to illegal activities that are carried out using the internet, such as identity theft, fraud, and extortion. Hacktivism, on the other hand, refers to politically motivated cyberattacks that aim to disrupt or deface websites or steal sensitive information.
Despite their differences, cybercrime and hacktivism have converged in several ways. For example, hacktivists may use the tactics and tools of cybercriminals to carry out their attacks. Conversely, cybercriminals may use the cover of hacktivism to carry out their attacks without drawing attention to themselves.
2.1 Conti and the attack on Costa Rica
The Costa Rican ransomware attack carried out by the Conti gang could be motivated by factors other than just money. The President of Costa Rica, Carlos Alvarado, stated that the attack is not just a monetary issue but rather appears to be an attempt to threaten the country’s stability at a transitional moment. The attack could be politically motivated and related to Costa Rica’s public rejection of Russia’s invasion of Ukraine.
2.2 From Killnet to The Legion
Killnet was initially created as a tool that could be used to launch Distributed Denial-of-Service (DDoS) attacks, and was made available on a subscription basis. However, as the Russo-Ukrainian war continued, Killnet transformed into a hacktivist group, with the intention of launching DDoS attacks against countries opposing Russia or supporting Ukraine. This transformation was likely due to the overwhelming support received from users in Russia, which encouraged Killnet to continue launching attacks.
With this support, Killnet grew rapidly, attracting more members and creating sub-groups, including a “Legion” called Cyber Special Forces RF (Russian Federation), made up of volunteers who perform DDoS attacks on behalf of the group. The Legion was made up of many squads and constantly recruited new members, including programmers, DDoSers, and penetration testers.
The transformation of Killnet from a cybercrime gang to a hacktivist group was a response to the Russo-Ukrainian war, and was driven by the desire to support Russia and oppose foreign aggression against it.
3. State-Sponsored APT and Hacktivism
The convergence between state-sponsored APT and hacktivism is a particularly concerning development. APT actors have the resources and expertise to carry out sophisticated attacks, while hacktivists have the motivation and political agenda. When these two elements come together, it can result in devastating attacks that are difficult to defend against.
For example, state-sponsored APT actors may use the cover of hacktivism to carry out their attacks, making it more difficult to determine their motives and origin. Hacktivists, on the other hand, may use the tactics and tools of APT actors to carry out their attacks, making them more effective and potentially more dangerous.
3.1 The DNCLeaks case
DNCleaks is a high-profile incident that exemplifies the intersection of APT (Advanced Persistent Threat) and hacktivism. APT28 and APT29, believed to be state-sponsored groups from Russia, hacked into the Democratic National Committee’s (DNC) computer systems and stole sensitive and confidential data. The stolen materials were then transmitted to Wikileaks.
This incident showed the blending of traditional APT tactics and objectives with the motivations of hacktivism, which involves using hacking for political activism. The use of APT techniques for the purpose of political influence and election interference further blurs the line between APT and hacktivism, as both involve using technology for power and impact.
DNCleaks highlights the challenge of accurately attributing cyber-attacks, as well as the growing threat of politically motivated cyber-attacks, which have the potential to cause significant disruption and harm to organizations and nations. It also highlights the need for organizations to improve their cyber-security measures, as well as the importance of international cooperation in addressing these types of threats.
3.2 The World Anti-Doping Agency (WADA) Papers
In 2016, APT28 (under the moniker Fancy Bear) was also implicated in a hacktivist attack against the World Anti-Doping Agency (WADA), which revealed the extent of state-sponsored doping in Russia.
The WADA hack was a clear example of Fancy Bear straddling the line between APT and hacktivism. On the one hand, the group’s methods, targets, and affiliations suggest a state-sponsored APT group. On the other hand, the group used the stolen information to publicly shame WADA and the athletes involved in the doping scandal, which is a hallmark of hacktivist attacks.
Furthermore, the WADA hack was particularly notable for its timing and public release of the stolen data. The attack was carried out shortly before the 2016 Summer Olympics in Rio, and the stolen data was released just before the games began. This was seen as an attempt by Fancy Bear to discredit the Olympic Games and draw attention to the issue of state-sponsored doping in Russia, which is a clear example of the convergence of APT and hacktivism.
Fancy Bear operation on the WADA, in the context of the Olympic Game doping scandal, illustrate the blurred lines between APT and hacktivism, as the group’s methods and motivations suggest a coordinated effort by a government, but also a desire to shame and discredit the target in a manner that is typical of hacktivist attacks.
The convergence between state-sponsored APT, cybercrime, and hacktivism has created a complex and ever-changing landscape for organizations, governments, and individuals. The blurring of the lines between these different forms of cyber activity makes it more difficult to determine the motives and origins of attacks and increases the risk of devastating consequences.