Advanced Persistent Threat Groups Eyeing Sub-Saharan Countries

New research from Kaspersky underscores that MSSPs in Africa may serve as organizations’ only cybersecurity defense.

Kelly Teal, Contributing Editor

October 28, 2020

5 Min Read
Risk, Threat, Vulnerability Assessment
Shutterstock

Even though certain cyber threats targeting organizations in Africa have decreased, managed security service providers in the region must stay vigilant. Over the coming months, new research shows, advanced persistent threat (APT) groups and hackers for hire will focus more on the continent.

That all comes from antivirus vendor Kaspersky. The company’s analysts recently found that the rate of certain malware families and types taking aim at various parts of the continent dropped in the first half of 2020. For example, South Africa saw a 36% decrease; Kenya, 26%; and Nigeria, 2.7%. To be sure, much of the standard malware danger in this less-developed part of the world has reduced, according to the numbers.

However, MSSPs can’t let down their guards. Kaspersky says that, globally, advanced persistent threat actors are ramping up their techniques and capabilities to steal sensitive information. Hacking-for-hire entities will do the same, Kaspersky discovered. In fact, the worldwide activity tied to these cyber mercenaries rose in the first two quarters of 2020, Kaspersky said. Much of the momentum stems from opportunities created by the COVID-19 pandemic. As more organizations have sent employees to work from home, they have opened unintentional gaps in security.

Yamout-Maher_Kaspersky.jpg

Kaspersky’s Maher Yamout

“Data breaches will certainly become more commonplace, especially as people will continue to work remotely for the foreseeable future while exposing their systems to the internet without adequate protection,” said Maher Yamout, senior security research, global research and analysis team at Kaspersky.

And while the shift is happening outside of Africa, Kaspersky says that won’t remain the case. All of this cyber change will put MSSPs’ Africa customers squarely in hackers’ scopes — sooner, not later.

It’s Already Happening

In South Africa, Kenya and Nigeria, advanced persistent threat groups are milking COVID-19 uncertainties. That means they are employing “continuous, clandestine and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences,” Kaspersky says.

For the most part, these hackers have found new, more sophisticated ways to deliver malware. As a result, the so-called STOP ransomware has found more popularity among cybercriminals targeting Africa, as has financial malware. The groups then monetize the data they are able to exploit. Further, their ability to do that means they are attacking specific industries. To that point, the government, education, health care and military sectors in Sub-Saharan Africa suffered the most hits. (Over the first half of this year, that is.)

“While government and military present compelling – and obvious – targets, education and health care are often used as pivot points to gain access to other institutions,” Kaspersky wrote. “Sometimes, an entity is a victim while other times it is the target.”

Top 3 Threat Actors Eyeing Africa

Transparent Tribe, OilRig and MuddyWater comprise the top three threat actors with Africa in their sights. And each one poses its own unique danger to organizations.

Since its inception (or discovery) in 2013, Transparent Tribe has focused on India’s military and government personnel. The group also goes by the monikers PROJECTM and MYTHIC LEOPARD.

“Their favorite infection vector is malicious documents with an embedded macro, which seem to be generated with a custom builder,” according to SecureList. “Their main malware is a custom .NET RAT publicly known as Crimson RAT, but over the years, we also have observed the use of other custom .NET malware and a Python-based RAT known as Peppy. Over the past year, we have seen this group undergo an evolution, stepping up its activities, starting massive infection campaigns, developing new tools and strengthening their focus on Afghanistan.”

OilRig, meanwhile, goes after telecom companies.

“[I]t uses steganography to hide commands and data within bitmap images attached to emails,” Threatpost writes.

As for MuddyWater, that group first surfaced about three years ago. It focuses on governments and telecom providers, namely in the Middle East. Per SecureList, “MuddyWater attackers deploy a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell, to implement their attacks and complete their victim infiltration and data exfiltration. Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.”

What These Hackers Want

In general, advanced persistent threat actors want what other hackers want: to “try to steal data, disrupt operations or destroy infrastructure,” as FireEye puts it.

And yet, they are willing to stay the course, no matter what.

“Unlike most cyber criminals, APT attackers pursue their objectives over months or years,” FireEye says. “They adapt to cyber defenses and frequently retarget the same victim.”

Hackers for hire, on the other hand, want private data so they can monetize it in unique ways. Kaspersky says that typically amounts to “providing advice or insights, based on the data, to share value of a competitive advantage.” For example, one bank can buy a rival bank’s internal information on market exposure, clients and back-end systems.

MSSPs: Best Line of Defense

The major takeaway is that MSSPs in Africa must increase and retain their expertise and monitoring. Cybercriminals are not about to let up. And they will face few, if any, deterrents from most African states. As of earlier this year, only eight of the 55 countries in Africa had cybersecurity or data protection regulations or laws. MSSPs may represent organizations’ greatest – or even only – line of defense.

“The remainder of the year will likely see APT groups and hacking-for-hire threat actors increase in prominence across the globe,” Yamout said. “Africa will continue to see more sophisticated APTs emerge. We also suspect that the hacking-for-hire actor type could target companies in Africa in the future. We also anticipate that cybercriminals will increase targeted ransomware deployment using different ways. These can range from trojanized cracked software to exploitation across the supply chain of the targeted industry.”

Read more about:

MSPs

About the Author

Kelly Teal

Contributing Editor, Channel Futures

Kelly Teal has more than 20 years’ experience as a journalist, editor and analyst, with longtime expertise in the indirect channel. She worked on the Channel Partners magazine staff for 11 years. Kelly now is principal of Kreativ Energy LLC.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like