Nowadays, all types of businesses across all sectors are affected by cybercrime. This year, as the attack surface has grown due to the increase in telecommuting as a response to COVID-19, so other cyberthreats arising from generalized global uncertainty have also increased. Cybercriminals have not hesitated to take advantage of the situation in order to roll out phishing campaigns, propagate malware, exploit new vulnerabilities, and up the number of DDoS attacks, to name just a few strategies that are jeopardizing the cybersecurity of numerous companies.

Any organization could at some point be a target for cyberattacks. We have witnessed how the APT group dubbed ‘Vicious Panda’ has orchestrated a spear phishing campaign that uses the pandemic to spread the group’s malware. And it is not just the healthcare sector that is being targeted by organized cybercrime. Even the most advanced military institutions in the world, such as DISA (Defense Information Systems Agency), charged with overseeing US Defense Department and White House communications, reported a cyberattack in February that compromised the data of up to 200,000 staff and military personnel.

All these incidents can have grave consequences for victims, from damage to an organization’s reputation to productivity outages or even the complete shutdown of business activity, causing major financial losses. There can be no doubt that the most vulnerable sectors include critical infrastructure and those responsible for safeguarding a nation’s security. When military and diplomatic agencies are targeted, lives could be at risk.

Now CactusPete, an APT group based in China, has entered the fray with attacks targeting military and financial organizations in Eastern Europe.

CactusPete: a highly sophisticated APT

The China-based APT group known as CactusPete has re-appeared with a new campaign aimed at military and financial targets in Eastern Europe, which is a new area of operations for the group, as previously it has appeared to focus on organizations within a limited range of countries: South Korea, Japan, the United States, and Taiwan. Present campaigns seem to show that the gang has its sights on other organizations in Asia and Eastern Europe.

This time, it has upgraded a backdoor to attack military and financial organizations in Eastern Europe and access confidential information. The group used a new variant of the Bisonal backdoor, which allows attackers to steal information, run code on target computers, and move laterally within a network, according to researchers at Kaspersky. Moreover, the speed at which new malware samples are being produced suggests that the group is expanding rapidly, so organizations in the targeted area should keep their guard up. Also, in the 2020 campaign we have seen how the group has improved its techniques, with access to more sophisticated code, such as the ShadowPad modular attack platform.

How to protect systems against an APT

  • Constant vigilance. The best way to prevent any threats from attacking your systems is to know exactly what is happening on them at all times. Panda Adaptive Defensemonitors all processes running on systems at all times. It detects any unusual activity and stops unknown processes from executing, thereby dealing with the threat before it can act.
  • Proactive threat hunting. Instead of just reactively responding to malware threats, our security analysts perform active threat hunting. Leveraging all the information harvested from our 30 years of experience in the security industry, these experts search for new threats and compare hypotheses with the data collected through our EDR solution to verify the legitimacy of processes.
  • Raising user awareness about good security practices. To prevent your company’s human potential turning into the weak link in your security chain, it is important that you provide the training required to keep everyone up-to-speed on best security practices.
  • Corporate cyber resilience. Particularly important for critical targets such as those of the CactusPete APT group. The importance of security resilience with a plan to return to normality after security incidents and remedy their effects is critical. The common theme in all strategies analyzed by Panda is prevention, detection, containment, and response.