Positive Technologies investigation findings: 40% of incidents linked to known APT groups

Attackers’ longest active presence in an infrastructure lasted five years

Positive Technologies Expert Security Center (PT ESC) has reported the findings of its investigations of cyberincidents in 2021–2023.1 The number of investigations has more than doubled in the past two years, and 40% of all investigated incidents were committed by known APT groups. The most frequent targets were government agencies (34%) and industrial enterprises (30%).

The report states that the annual number of incident investigation projects carried out by the PT ESC threat response team has increased significantly in the past two years. In the whole of 2022, the number of investigations rose by 50%; in comparison with this figure, the first nine months of 2023 have seen 76% growth. Our experts posit that such a surge could have been triggered by an increase in the number of cybersecurity incidents due to recent geopolitical and economic events worldwide.

Upon analyzing the incident investigation projects and retrospective studies of company infrastructures, PT ESC found that 40% of the incidents were linked to known APT groups.

"Threat actor attribution is a complex process that doesn’t always give reliable results," comments Denis Goydenko, Head of Threat Response, PT ESC. "Over the last three years, our experts have detected incidents involving 15 known APT groups that were identified by the tools, network infrastructure, and TTP used. APT groups typically employ unique malware that provides access to the company’s infrastructure after the initial compromise. Nevertheless, both APT groups and less skilled attackers use auxiliary software, which in the vast majority of cases is publicly available on the Internet."

APT group attacks most commonly targeted government agencies (34%) and industrial enterprises (30%). Third place went to IT companies (7%).

In 25% of completed projects dedicated to retrospective analysis of company infrastructures, traces of APT group activities were identified. These groups often operated in the infrastructures of the victim companies from six months to a year at the time of analysis without being detected. According to the study, the average time from infrastructure compromise to the attackers being stopped (or contained) was 45 days; their longest active presence in the network lasted 5 years.

Based on all identified incidents, affected companies most often encountered internal business process disruptions (32%), cyberespionage (prolonged presence in the target infrastructure, typically aimed at continuous extraction of confidential information—32%), as well as direct exfiltration of confidential information (26%). Our experts are seeing this trend of exfiltrating stolen company data before launching ransomware since 2020. This move allows attackers to demand ransom for restoring infrastructure access or for not disclosing the stolen information.

As the initial penetration vector, attackers most commonly (63%) exploited vulnerabilities in publicly accessible web applications used by the victim. Specifically, the most frequently attacked web applications were Microsoft Exchange mail servers (50% of all attacks where vulnerable web applications were the initial vector), Bitrix web servers (13%), and Atlassian products (7%), such as Confluence and Jira. The second most frequently successful penetration method was email phishing.

Our analysis spotlighted an interesting trend: while attackers do not commonly invent new methods of attack, the number of incidents using known vulnerabilities continues to grow. This suggests that companies, at the very least, do not update software to the latest versions and do not audit the infrastructure perimeter.

As a protective measure, Positive Technologies experts recommend companies to do the following: use the latest software and OS versions; build vulnerability management processes to help keep infrastructure up to date; create backup copies for all domain hosts and store them on a host isolated from the main network; conduct ongoing perimeter audits for vulnerabilities and public-facing services.

To combat cyberthreats, the researchers recommend using modern security tools, such as solutions for monitoring information security events and detecting incidents (MaxPatrol SIEM), endpoint security systems that protect against complex and targeted attacks (MaxPatrol EDR), effective vulnerability detection and management tools (MaxPatrol VM), as well as risk-based sandboxes that adapt to the individual company and detect sophisticated malware in files and traffic (PT Sandbox). And for all-inclusive protection with minimal human resources, an autopilot solution for results-oriented cybersecurity (MaxPatrol O2) can be employed.

  1. For this study, the experts analyzed information obtained from more than 100 projects of two types: incident investigation and retrospective analysis of infrastructure. These projects were conducted from Q1 2021 to Q3 2023 in various companies across Russia and the CIS. The average time of investigation from the start to the completion of the final report was 21 days.