Few security researchers possess the skills to detect elusive threat actors and gather the evidence of Advanced Persistent Threat (APT) groups lurking beneath the surface of legitimate-appearing network traffic.
The indicators or clues the threat actors leave behind are similar to a sea creature’s tentacles appearing from the depths; they only reveal fragmentary details of the overall threat. Dell SecureWorks Counter Threat Unit™ (CTU) researchers gain insights about threats such as Threat Group-3390 (TG-3390) from monitoring clients’ environments, including traffic and endpoints, and conducting intrusion analysis during incident response engagements. Applying strategic and tactical threat intelligence methodologies allows CTU researchers to provide a complete profile of threat actors and their capabilities. Leveraging this comprehensive view of threat intelligence provides executives with the information needed to reduce the risk to their organization’s mission and critical assets.
Just Beyond the Surface
TG-3390 commonly use strategic web compromises (SWCs) to infiltrate organizations. Victims typically get ensnared when browsing a compromised website that is relevant to their business. Not all visitors fall victim — the threat actors target those who have access to desirable data. Code on the compromised website exploits vulnerabilities on the victim’s computer to deliver malware that gives the threat actors access to the system, and TG-3390 uses infrastructure in the victim’s home country to avoid geoblocking and geoflagging. These few clues provide some insight into TG-3390, but not enough information to develop protective countermeasures. Diving deeper is critical for a comprehensive look at this threat.
Plunging into the Depths
In “Threat Group-3390 Targets Organizations for Cyberespionage,” CTU researchers provide a deeper look at TG-3390. First-hand incident response findings and intelligence from external sources provide a complete picture of the camouflaged components of this threat group. CTU researchers discovered many victims in numerous verticals located in the U.S. and the UK, and there may be many more in other countries. TG-3390’s intrusions are not random but highly calculated. These threat actors know what they are after when they infiltrate companies.
Once the target data has been identified, the threat actors create compressed password-protected archives so only they can see what data lies within. TG-3390 either leveraged backdoors to transfer the data out of the network or staged the archives to externally accessible systems so that they can download the target data.
The threat actors work fast, moving laterally to other networked systems in as little as two hours after initial entry, and they have compromised entire organizations in as little as six hours. When they are evicted from environments, they waste no time attempting to reenter and re-disguise themselves as they continue to pursue their objectives. Observing active hours for the threat group allows for predictability of threat actor activity and provides network defenders with intelligence to form a containment and eradication plan.
Many network defenders underestimate the pervasiveness and relentless fervor of this threat group. Once TG-3390 targets an organization, they diligently work to achieve their actions on their objective. Developing a complete picture of TG-3390’s intent, capability, tools, and infrastructure, as well as the threat actors’ tactics, techniques, and procedures (TTPs), is paramount to determining how to effectively evict and protect against this threat group.