For several years now, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been monitoring more than 60 threat actors responsible for cyber-attacks worldwide. By closely observing these organizations, which appear to be fluent in many languages, including Russian, Chinese, German, Spanish, Arabic and Persian, we have put together a list of what seem to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention. As a participant of the webinar, you will be the first to hear our detailed analysis of the trends. The webinar was hosted by Costin Raiu, Director of GReAT at Kaspersky Lab, on December 11. “If we can call 2014‘sophisticated’, then the word for 2015 will be ‘elusive’. We believe that APT groups will evolve to become stealthier and sneakier, in order to better avoid exposure. This year we’ve already discovered APT players using several zero-days, and we’ve observed new persistence and stealth techniques. We have used this to develop and deploy several new defense mechanisms for our users,” comments Costin Raiu. Listen to the presentation https://kas.pr/aptwebinar Read the full report https://kas.pr/ksb

1. Kaspersky Lab webinar
“APT Predictions for 2015”
Date
Thursday, December 11, 11 AM CET
Highlights
Ź APT trends in 2014
Ź The merger of cybercrime and APT
Ź Fragmentation of bigger APT groups
Ź Evolving malware techniques
Ź New methods of data exfiltration
Ź APT arms race
Ź Advanced Persistent Threats mitigation
Presenter: Costin Raiu
Director of Global Research
and Analysis Team at Kaspersky Lab

2. 2015
APT Predictions
A look into the APT crystal ball

3. GREAT: Elite Threats Research
Ź Global Research and Analysis Team, since 2008
Ź Threat intelligence, research and innovation
leadership
Ź Focus: APTs, critical infrastructure threats, banking
threats, sophisticated targeted attacks

4. Sophisticated threat discovery
Classification
Detection
Active
Facts
Duqu
Cyber-espionage
malware
September 2011
Since 2010
• Sophisticated Trojan
• Acts as a backdoor
into a system
• Facilitates the theft
of private
information
Flame
Cyber-espionage
malware
May 2012
Since 2007
• More than 600
specific targets
• Can spread over
a local network or
via a USB stick
• Records
screenshots, audio,
keyboard activity and
network traffic
Gauss
Cyber-espionage
malware
July 2012
Since 2011
• Sophisticated toolkit
with modules with
modules that
perform a variety of
functions
• The vast majority of
victims were located
in Lebanon
miniFlame
Cyber-espionage
malware
October 2012
Since 2012
• Miniature yet fully-fledged
spyware
module
• Used for highly
targeted attacks
• Works as stand-alone
malware or as
a plug-in for Flame
Red October
Cyber-espionage
campaign
January 2013
Since 2007
• One of the first
massive espionage
campaigns
conducted on
a global scale
• Targeted diplomatic
and governmental
agencies
• Russian language
text in the code
notes
NetTraveler
Series of cyber-espionage
campaigns
May 2013
Since 2004
• 350 high
profile victims
in 40 countries
• Exploits known
vulnerabilities
• Directed at private
companies, industry
and research facilities,
governmental
agencies
Careto / The Mask
Extremely sophisticated
cyber-espionage campaign
February 2014
Since 2007
• 1000+ victims in
31 countries
• Complex toolset with
malware, rootkit, bootkit
• Versions for Windows,
Mac OS X, Linux
• Considered one of the
most advanced APTs ever
Threat

5. apt.securelist.com
‘Targeted Cyber-attack
Logbook’ chronicles all the
complex cyber-campaigns,
or APTs (advanced persistent
threats) that have been
investigated by the company’s
Global Research and Analysis
Team.

6. APT Trends in 2014 were:
Ź Cost of entry decreasing
Ź More APT groups
Ź Emergence of cyber-mercenaries
Ź Supply chain attacks
Ź Larger operations & surgical
strikes
Ź Critical infrastructure attacks
Ź “Wipers”, cyber-sabotage
What’s next?

7. APT Predictions 2015

8. Prediction: Targeted attacks directly
against banks, not their users.
n The merger of cybercrime and APT
Ź In a number of incidents, several
banks were breached using methods
straight out of the APT playbook.

9. Prediction: More widespread attack
base (more companies will be hit).
Bigger companies will see attacks
from a wider range of sources.
o Fragmentation of bigger APT groups
Recent exposure of APT groups:
MSUpdater/PutterPanda, APT1/Comment Crew,
Energetic Bear, Turla, Regin and NetTraveler leads
to fragmentation and creation of new groups.

10. Ź More malware is being updated for 64 bits
Ź Including rookits
60%
50%
40%
30%
20%
10%
0%
2010 2011 2012 2013 2014
x64 users growth
Prediction: more sophisticated
malware implants, enhanced evasion
techniques and more use of virtual
file systems
p Evolving malware techniques
Ź More advanced persistence techniques
Ź Cross platform persistence
Ź Network equipment, embedded, ICS

11. q New methods of data exfiltration

12. Prediction: more groups to adopt
use of cloud services in order to
make exfiltration stealthier and
harder to notice.
New methods of data exfiltration
Ź Use of compromised trusted
websites
Ź WebDAV
Ź DNS requests
Ź UDP
Ź ICMP
Ź …
Ź Cloud

13. r More countries join the cyberarms race
Ź Unusual languages seen in APTs:
German, Old Italian, Spanish,
Korean, French, Arabic
Prediction: Although we haven't yet
seen APT attacks in Swedish, we do
predict that more nations will join
the “cyberarms” race and develop
cyber-espionage capabilities.

14. Prediction: With governments
increasingly keen to “name and shame”
attackers, we believe that APT groups
will also carefully adjust their operations
and throw false flags into the game.
s Use of false flags
Ź In 2014 we observed several “false flag”
operations where attackers delivered
“inactive” malware commonly used by
other APT groups.

15. Prediction: in 2015, we anticipate
more mobile-specific malware in APT
attacks, with a focus on Android and
jailbroken iOS.
t Addition of mobile attacks
iPhone1,1 iPhone1,2 iPhone2,1
iPhone3,1 iPhone3,2 iPhone3,3
iPhone4,1 iPhone5,1 iPhone5,2
iPad1,1 iPad2,1 iPad2,2
iPad2,3 iPad2,4 iPad3,1
iPad3,2 iPad3,3 iPad3,4
iPad3,5 iPad3,6 iPhone
iPhone 3G iPhone 3GS iPhone 4
iPhone 4 iPhone 4 (cdma) iPhone 4s
iPhone 5 (gsm) iPhone 5 iPad
iPad2 (Wi-Fi) iPad2 (gsm) iPad2 (cdma)
iPad2 (Wi-Fi) iPad3 (Wi-Fi) iPad3 (gsm)
iPad3 iPad4 (Wi-Fi) iPad4 (gsm)
iPad4

16. Prediction: in 2015, a few other groups
might also embrace these techniques,
but it will remain beyond the reach of
the vast majority of APT players.
u Targeting of hotel networks
Hotels provide an excellent way of targeting particular
categories of people, such as company executives.

17. Ź In general, APT groups are careful to avoid
making too much noise with their operations
Ź In 2014 we observed two APT groups (Animal
Farm and Darkhotel) using botnets in
addition to their regular targeted operations
Ź In addition to DDoS operations, botnets
can also offer another advantage - mass
surveillance apparatus for a “poor country”
Ź Flame and Gauss, which we discovered
in 2012, were designed to work as a mass
surveillance tool
Prediction: in 2015 more APT groups
will embrace this trend of using precise
attacks along with noisy operations,
and deploy their own botnets.
v APT+Botnet: targeted mass surveillance

18. Massive vs targeted: Darkhotel example
e-mail

19. Ź Spyware sales cannot be controlled
Ź Eventually, these dangerous software
products end up in the hands of less
trustworthy individuals or nations
Prediction: A high-reward, low-risk
business that will lead to the creation
of more software companies focused
on “legal surveillance tools” market.
In turn, these tools will be used for
nation-on-nation cyber-espionage
operations, domestic surveillance
and maybe even sabotage.
w Commercialization of APT attacks

20. What about
solutions?
How to defend
your company
against APTs
in 2015

21. Advanced Persistent
Knowledge
; Kaspersky Lab GReAT intelligence
reports on active campaigns:
intelreports@kaspersky.com
; Cybersecurity Training Services
; Malware Analysis Service
; Threat Data Feeds/Botnet Tracking
APT Mitigation Strategy:
Intelligence + Technology
Advanced Technologies
; Kaspersky Security Network – instant reaction to the
most recent threats;
; Automatic Exploit Prevention technology in Kaspersky
Lab protection solutions: proactively blocks exploits
used in targeted attacks.
Example 1: AEP proactively detected components
of Red October espionage campaign
Example 2: AEP proactively blocked CVE-2013-3906
used in targeted attacks
; Whitelisting / Default deny mode

22. Conclusions
Ź 2014 was a rather sophisticated and diverse year for APT
incidents
Ź Kaspersky Lab discovered three zero-days vulnerabilities in 2014
Ź Exposed several APTs: Mask/Careto, Darkhotel, Machete, Epic
Turla, Regin, Cloud Atlas
Ź The word for 2015 will be “elusive”
Ź APT groups will become concerned with exposure and they will
take more advanced measures to hide from discovery
Ź False flag operations

23. QUESTIONS ?