ESET industry report on government: Targeted but not aloneDownload Paper
A year into the pandemic, ESET reveals new research into activities of the LuckyMouse APT group and considers how governments can rise to the cybersecurity challenges of the accelerated shift to digital
Earlier this year, a well-known APT group dubbed LuckyMouse (aka Emissary Panda, APT27) began exploiting several zero-day Microsoft Exchange Server vulnerabilities. Its end goal? Cyberespionage across multiple government networks in the Middle East and wider organizations in Central Asia. The group used this email server access, and the compromise of Microsoft SharePoint, to deploy a newly updated modular toolkit known as SysUpdate. As ESET explains in a new report, it has been designed to provide on-demand malicious capabilities, while taking great care to resist analysis.
If you were in any doubt about the scale of the cyberthreat facing global governments, then look no further. Fortunately, cybersecurity companies are in a unique position to advise the public sector. Not only does ESET have the requisite technical skills to support cyber-defense, but as no less a target for sophisticated threat actors it can share first-hand its learnings about what works and what doesn’t.
A year of firsts
This LuckyMouse campaign, dubbed EmissarySoldier by ESET and conducted across much of 2020 and into early 2021, is just the tip of the iceberg. It’s been a year like no other for governments, and the threat landscape in general. Unfortunately for the former, events in the latter have had a major impact on the consumers, societies and critical infrastructure sectors that governments are meant to steward and shield. In this respect, the pandemic may have set 2020 apart from any other year before it. But governments should take note: it could also herald much more of the same in the years to come.
The pandemic forced a fresh wave of digital transformation the world over. Investments in cloud infrastructure and applications, remote working laptops and devices, and much more were absolutely essential to support home working civil servants and new emergency services. In the United Kingdom, departments delivered 69 new digital services by the end of May 2020. Its flagship Coronavirus Job Retention Scheme (CJRS) was designed, built and launched in under five weeks.
Yet like many organizations, by expanding their digital infrastructure, governments also broadened their cyberattack surface. This was targeted relentlessly by opportunistic threat actors. Distracted home workers were bombarded by phishing lures, many of which relied on the insatiable appetite for the latest news on COVID-19. Remote working infrastructure was probed for vulnerabilities and hijacked with stolen, phished or cracked remote login credentials. Security teams struggled with their own operational challenges of working from home.
From cybercrime to cyberespionage
Many of the threats facing government came from organized criminal groups, which have been increasingly willing to work together towards a common goal. Just witness the close cooperation between Trickbot (eventually disrupted in a global operation involving ESET), Emotet (itself disrupted recently) and sophisticated ransomware groups like Ryuk that used botnet access to target victim organizations. Unfortunately, governments and industry are not always so willing to work together defensively.
The other major source of cyberthreats, of course, is nation-state actors — even though the line between these and traditional, financially-motivated cybercriminals continues to blur. Sensing a moment of unique opportunity, hostile nations have been doing their best to capitalize on otherwise-engaged government IT teams to further their geopolitical goals. Most notably, this came with the push to steal COVID-19 vaccine data from rival states.
The bad news for western governments is that such attacks from groups including Gamaredon, Turla, Sandworm (and its subgroup tracked by ESET as TeleBots) and XDSpy, continue to land their punches. Alongside the use of commodity malware bought from the cybercrime underground, they continue to innovate in-house, to produce the likes of Crutch, a previously undocumented Turla backdoor discovered by ESET.
Supply-chain attacks: From strength to strength
Among perhaps the most troubling developments of recent months has been the revelations over the SolarWinds campaign. However, it is only one of a series of supply-chain attacks ESET has detected over the past year. Others include Lazarus Group deploying hacked security add-ons, Operation Stealthy Trident taking aim at region-specific chat software, and Operation SignSight, which compromised a government certificate authority.
In fact, ESET discovered as many supply-chain campaigns in Q4 2020 as the entire security industry uncovered annually a few years ago. The supply chain threat has grown as governments expand their use of digital services to streamline processes and improve the delivery of public services. They must seize this moment to hit back, with an improved cybersecurity strategy fit for the post-pandemic world.
The future starts here
The question is, where to start? Drawing also on its own experience as a target for threat actors, ESET has learned that getting the basics right really is the best foundation for securing your organization. These days, it should begin with understanding where your key assets are – whether a home working laptop or a cloud server – and ensuring they’re protected and correctly configured at all times. Prompt patching, regular backups, endpoint protection and “zero trust” access for all home workers should also be table stakes. After all, the distributed workforce is your most exposed front in the war on cybercrime.
Next, follow international standards, such as ISO 27001, to institute best practices for information security management. It’s a good starting point that you can build on to align with key regulatory compliance requirements. Concerned at how to prioritize so many security activities amidst such a fast-moving landscape? Use risk management and measurement as your guide. Other critical steps include “shifting security left” in your software development lifecycle (SDLC) – to accelerate digital transformation without increasing cyber-risk.
The past year has been an eye-opener in many respects. But there’s no going back for government IT teams. Remote working and greater use of cloud and digital infrastructure is the new reality, as are sophisticated criminal and state-backed attacks. It’s time to chart a way through the gloom, using best-practice security techniques, products and cutting-edge research to stay ahead of the game.