{"id":1345,"date":"2024-12-25T06:00:00","date_gmt":"2024-12-25T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1345"},"modified":"2024-12-25T06:00:00","modified_gmt":"2024-12-25T06:00:00","slug":"the-2024-cyberwar-playbook-tricks-used-by-nation-state-actors","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1345","title":{"rendered":"The 2024 cyberwar playbook: Tricks used by nation-state actors"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In 2024, nation-state cyber activity was off the charts, with Chinese, Russian, and Iranian actors leading the charge. Their campaigns weren\u2019t just relentless \u2014 they were innovative, using a crafty mix of Tactics, Techniques, and Procedures (TTPs) to gain footholds, stay hidden, and spy-like pros.<\/p>\n

\u201cThere was definitely a continued and noted uptick in nation-state activity in 2024,\u201d said Chris Hughes, a cyber innovation fellow at the US government\u2019s Cybersecurity Infrastructure and Security Agency (CISA). \u201cSome of the largest activities in 2024 included from Chinese APTs, such as Volt Typhoon and Salt Typhoon.\u201d<\/p>\n

No single TTP was the main player on its own. Instead, they worked together (often mutually inclusive) like puzzle pieces, each playing a role in the bigger picture. One actor, for example, might deploy spear-phishing to gain entry, exploit zero days for privilege escalation, and use wiper malware to cover their tracks \u2014 all in the same campaign.<\/p>\n

While these actors operated full-blown strategies with many moving parts, here are a few key TTPs that defined nation-state cyber warfare in 2024.<\/p>\n

Backdooring critical systems for sneaky attacks<\/h2>\n

In a trademark move, nation-state attackers got extremely savvy, often slipping backdoors into critical systems to hang around and strike again later. Speaking specifically about the US offenders Hughes said, \u201cRather than being financially motivated, they were more focused on espionage and embedding themselves in US critical infrastructure for future attacks.\u201d<\/p>\n

While most nation-state actors use some form of persistence in compromised systems, these campaigns stood out as the top examples of such efforts in 2024.<\/p>\n

Salty two-year streak<\/strong>: In the \u201cpursuit of sensitive information,\u201d Chinese APT group Salt Typhoon (aka Earth Estries, Ghost Emperor, Famous Sparrow, or UNC 2286) was\u00a0revealed in September<\/a>\u00a0to have infiltrated multiple US Telecommunication providers, including Verizon, Lumen Technologies, T-mobile and AT&T, and established persistence since at least 2 years by employing the modular GhostSpider backdoor that had the \u201cheartbeat\u201d command facility for periodic communication.\u00a0<\/p>\n

A tickly Peach<\/strong>: Iranian hacker group Peach Sandstrom (also tracked as APT33) was found in August to have been active for over a decade, focusing on critical infrastructure sectors including the space industry. The group introduced a new multistage backdoor malware named \u201cTickler,\u201d allowing remote access and persistence within victim networks after initial compromise through password spraying or social engineering.\u00a0<\/p>\n

As mentioned earlier, it\u2019s important to note that the backdoors used for persistence were often part of larger setups that also included features for exfiltrating sensitive data.<\/p>\n

Lucky breaks through critical zero-days<\/h2>\n

Before they could plant any backdoor for persistence and future attacks, the cross-border offenders first needed to break into these systems. To do so, they relied on a range of methods, with zero-day exploits proving to be the most effective in 2024.<\/p>\n

\u201cCISA published their most exploited vulnerability list recently and of those, more than half were zero days at the time, showing an uptick in zero-day vulnerabilities, and impacting organizations before they even know they\u2019re vulnerable or are able to apply patches from vendors,\u201d Hughes added.<\/p>\n

A few leading zero-day abuses by nation-state actors in 2024 included:<\/p>\n

Hole in the tankers<\/strong>: In recent months, the Iran-linked group APT34 (also known as OilRig and Earth Simnavaz)\u00a0targeted the UAE and Gulf region<\/a>\u00a0by exploiting the CVE-2024-30088 Windows privilege escalation flaw (CVSS 7\/10). This allowed them to escalate privileges, deploy a backdoor, and exfiltrate sensitive data from compromised Microsoft Exchange servers, using the ngrok tool for lateral movement within networks.<\/p>\n

Fortinet fiasco<\/strong>: Nation-state threat actors, likely including Volt Typhoon,\u00a0actively exploited a critical vulnerability<\/a>\u00a0in FortiManager(CVE-2024-47575), which had a CVSS score of 9.8\/10. The \u201cmissing authentication for critical function\u201d flaw allowed attackers to execute arbitrary code via crafted requests. No malware or backdoors were found in the compromised systems. Fortinet previously\u00a0warned<\/a>\u00a0users to patch N-days against known nation-state exploitations.<\/p>\n

Chained Ivanti duo<\/strong>: In early 2024,\u00a0two zero-day vulnerabilities<\/a>\u00a0in Ivanti\u2019s VPN products, CVE-2023-46805 and CVE-2024-21887, were discovered to have been exploited by Chinese state-backed actors for an attack chain. These flaws allowed for remote code execution, which let the attackers steal configurations, alter files, and establish reverse tunnels. The attackers targeted critical industries like healthcare and manufacturing, employing advanced techniques to move laterally within networks and access sensitive data.<\/p>\n

Phishing hooks still yielded<\/h2>\n

While nation-state actors loved zero days for swift break-ins, phishing remained a sly plan B. It let them craft sneaky schemes to worm into systems, proving that 2024 was the year of both bold strikes and artful cons.<\/p>\n

Russian nation-state actors leaned heavily on phishing in 2024, with other APTs, like Iranian and Pakistani groups, dabbling in the tactic as well. The following are some of the standout campaigns from 2024 where phishing was the go-to for initial access.<\/p>\n

Blizzard of attacks<\/strong>: Russian hacking group\u00a0Midnight Blizzard (APT29)<\/a>, linked to Russia\u2019s SVR, launched a spear-phishing campaign targeting U.S. officials, academics, and defense and NGO sectors, Microsoft revealed. Since October 22, 2024, they\u2019ve used RDP files signed with LetsEncrypt certificates, disguised as emails from Microsoft staff, referencing AWS and Zero Trust. The tactic connected victims\u2019 devices to hacker-controlled servers, granting access to local resources and persistent control. CERT-UA and Amazon also flagged this global threat.<\/p>\n

Rival Espionage<\/strong>: Pakistani threat actors, identified as UTA0137,\u00a0launched a targeted phishing campaign<\/a>\u00a0against Indian government systems, using fake Defense Service Officer Provident Fund (DSOP) forms to deliver malware. The campaign exploited the custom Linux-based BOSS operating system, with the malware DISGOMOJI employing Discord emojis for stealthy communication. Once inside, the malware exfiltrated sensitive system data, scanned USB devices, and leveraged outdated vulnerabilities like Dirty Pipe (CVE-2022-0847) for privilege escalation.<\/p>\n

Iranian social engineering:<\/strong> Iranian state-sponsored group APT42, tied to the IRGC-IO, launched enhanced phishing campaigns in May, impersonating journalists and event organizers to target NGOs, academia, activists, and media. By luring victims to malicious links or decoy materials, the group harvested credentials from fake Microsoft, Google, or Yahoo login pages, bypassing MFA through cloned websites and push notifications. Alongside credential theft, they deployed custom backdoors like TAMECAT and NICECURL via phishing, enabling flexible access for further espionage within cloud environments.<\/p>\n

While credential harvesting through malware delivered via phishing was fairly common, nation-state actors rarely resorted to scavenging credentials from hack forums or drop sites as a primary tactic. When asked, Hughes noted, \u201cI\u2019m not familiar with this being the primary MO by the APTs, who instead are targeting devices, products and vendors with vulnerabilities and misconfigurations, but once inside, they do compromise credentials and use those to pivot, move laterally, persist in environments and more.\u201d<\/p>\n

They likely avoid doing this because credentials on forums and sites are often stale, partially compromised, or already under scrutiny by security teams. Relying on them could undermine the sophistication and stealth of their operations.<\/p>\n

Malware\u2019s always a hit<\/h2>\n

While backdoors ensured long-term persistence for these actors, advanced malware delivered quick wins \u2014 enabling lateral movement and swift data extractions that left networks reeling. A few standout malware nation-state offenses operated this year included the following.<\/p>\n

Russian Payloads<\/strong>: APT29\u00a0used a range of advanced malware<\/a>\u00a0in its campaigns, including the ROOTSAW(or EnvyScout) malware dropper and a new variant named WINELOADER. ROOTSAW delivered obfuscated JavaScript to download encrypted payloads, while WINELOADER employed DLL sideloading for stealth and modular functionalities. These tools demonstrated customization, departing from older loaders like\u00a0DONUT<\/a>\u00a0and DAVESHELL, and introduced unique command-and-control mechanisms. Another Russian nation-state abuser, Forest Blizzard (APT28) was seen deploying a new malware\u00a0GooseEgg<\/a>\u00a0for credential theft.<\/p>\n

Chinese malware<\/strong>: Chinese actors like Volt Typhoon and Salt Typhoon used a mix of malware for cyberattacks. Volt Typhoon relied on the\u00a0KV botnet<\/a>, which hijacks routers in small offices to launch DDoS attacks and steal data. On the other hand, Salt Typhoon used\u00a0GhostSpide<\/a>r, a stealthy malware that targets telecom networks to exfiltrate sensitive info like call records. Both groups focused on critical infrastructure, showing just how advanced their tactics have become.<\/p>\n

With malware evolving at lightning speed in 2024, CISA decided to let the public in on its Malware Next-Gen tool, letting anyone with a login.gov<\/a> account submit and analyze suspicious files. Since November 2023, nearly 400 users have sent in over 1,600 files, helping spot around 200 malicious ones.<\/p>\n

CISA\u2019s Malware Next-Gen tool boosts AI-driven threat hunting and helps businesses defend against known and unknown attacks, she added.<\/p>\n

Living off-the-land<\/h2>\n

These actors weren\u2019t always about flashy, custom malware. Quite often, they used legit tools like PowerShell, rootkits, RDP, and other off-the-shelf system features to sneak in, stay undetected, and set up long-term access. This made their attacks stealthy, persistent, and ready for future moves.<\/p>\n

Volt Typhoon: In a targeted espionage campaign,\u00a0the China-backed threat actor used Living off the Land (LOTL) techniques<\/a>\u00a0to gain unauthorized access. By leveraging trusted system tools like SSL VPN, the actor was able to carry out remote code execution (RCE) attacks on critical infrastructure, evading detection and maintaining persistence.<\/p>\n

Iranian use: Iranian cyber-espionage group APT34 (OilRig) has\u00a0been using PowerShell\u00a0<\/a>to execute malicious code during recent attacks in the UAE and Gulf region. By exploiting a Windows privilege escalation flaw, they gained access, exfiltrated credentials, and used tools like ngrok for lateral movement within compromised networks. PowerShell enabled them to run commands and transfer files undetected.<\/p>\n

A Dragos study<\/a> for Q3 2024 highlighted a surge in cyber activity, with threat actors exploiting VPN vulnerabilities and stolen credentials to infiltrate critical systems, primarily relying on living-off-the-land (LOTL) techniques for persistence and evasion.<\/p>\n

In addition to these techniques, 2024 saw the use of AI<\/a> to develop advanced penetration tools and target supply chains<\/a> for lateral movement into critical systems. Adding on this, Hughes said,<\/strong> \u201cWe\u2019ve seen APTs and nation-states continue to target the supply chain, with a massive surge in malicious packages across the open source software (OSS) supply chain, and looking to compromise widely used projects and packages.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In 2024, nation-state cyber activity was off the charts, with Chinese, Russian, and Iranian actors leading the charge. Their campaigns weren\u2019t just relentless \u2014 they were innovative, using a crafty mix of Tactics, Techniques, and Procedures (TTPs) to gain footholds, stay hidden, and spy-like pros. \u201cThere was definitely a continued and noted uptick in nation-state […]<\/p>\n","protected":false},"author":0,"featured_media":1346,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1345"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1345"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1345\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1346"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}