Microsoft: US Government Is ?advanced Persistent Threat WORK
Historically, the Microsoft Defender Security Center has been the home for Microsoft Defender for Endpoint. Enterprise security teams have used it to monitor and help responding to alerts of potential advanced persistent threat activity or data breaches. To help reduce the number of portals, Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
Microsoft: US government is ‘advanced persistent threat’
Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.
Such threat actors' motivations are typically political or economic. Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more. Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software).
Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006 with Colonel Greg Rattray cited as the individual who coined the term.
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks. Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of sovereign states.Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:
Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process or kill chain:
While the writing is cautiously couched in terms of "some governments" it's crystal clear that Microsoft's "advanced persistent threat" is referring to the ongoing revelations of US government surveillance activities (in leaks by Edward Snowden), and the concerns of Microsoft's American customers.
Cybersecurity firm Mandiant has tracked security breaches by advanced persistent threats since 2004; in February 2013 Mandiant reported that the most prolific APT in the world was "One of China's Cyber Espionage Units."
Leaving us all to wonder just what kind of mess we're in when one of the largest, richest and most visible American companies in the world openly categorizes the US government as an "advanced persistent threat" to both itself, and its customers.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B).
CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered. CISA will continue to update this Alert and the corresponding IOCs as new information becomes available.
Target sectors: This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East
Be future ready with the broadest range of commercial innovation for government. Azure delivers advanced compute and analytics capabilities from cloud to edge to help you gain insights, move faster, and do more for the mission.
"All of this will be in place by the end of 2014, and much of it is effective immediately," Smith said, who added that Microsoft now viewed government intrusion into its infrastructure as an "advanced persistent threat" of a similar nature to "sophisticated malware and cyber attacks".
In what's believed to be the first known use of the tactic, an advanced persistent threat actor is leveraging Microsoft OneDrive services for command-and-control (C2) purposes in a sophisticated cyberespionage campaign aimed at high-ranking government and defense industry officials of a West Asian nation.
Researchers from Trellix who have been tracking the campaign have attributed it with a low to moderate degree of confidence to APT28, aka Fancy Bear, a threat actor that the US government previously has linked to Russia's military intelligence service. Trellix's analysis of data related to the campaign shows that the threat actors also have their sights on defense and government entities in Poland and other Eastern European nations.
If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an "advanced persistent threat," alongside sophisticated malware and cyber attacks.
GALLIUM remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa. Over the past year, we have identified targeted attacks impacting nine nations. This group has deployed a new capability called PingPull in support of its espionage activities, and we encourage all organizations to leverage our findings to inform the deployment of protective measures to defend against this threat group.
Microsoft attributed the attacks to a group it dubbed Holmium but has previously been referenced by security researchers as APT33. APT stands for advanced persistent threat, a common reference to organized, usually state-sponsored hacking groups.
The compromised SolarWinds Orion Platform DLL that led to this sophisticated attack consisted of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.
Microsoft's general counsel, Brad Smith, warned in a blog post last week that the U.S. government's online surveillance efforts "threaten to seriously undermine confidence in the security and privacy of online communications."
Latest news on advanced persistent threats (APTs), stealthy cyber-attacks typically conducted by nation-states or state-sponsored groups that gain unauthorised access to a computer network and remain undetected for an extended period.
Since the onset of the COVID-19 pandemic, there has been a surge in cyberattacks against individuals and organizations of all sizes. This is further complicated by the surge in telecommuting, which increases the threat to such individuals and organizations. The alert describes confirmed exploitation by cybercriminals and advanced persistent threat groups of the ongoing COVID-19 pandemic. It also includes a non-exhaustive list of indicators of compromise for detection and guidance regarding mitigating threats.
Once in a while we get to spend time analyzing malicious code that is not as widespread as other threats we've encountered. Here we analyze a targeted attack used in Taiwan and Vietnam - but is this 'APT' really that advanced? 350c69d7ab