PUNTA CANA–The term APT often is used as a generic descriptor for any group–typically presumed to be government-backed and heavily financed–that is seen attacking high-value targets such as government agencies, critical infrastructure and financial systems. But the range of targets APT groups are going after is widening, as are the levels of talent and financing these groups possess.
One reason for this evolution is that the amount of money that’s required to get into the APT game is no longer prohibitive. Whereas once an aspiring APT crew might need hundreds of thousands or millions of dollars in backing, depending upon their target list and timeline, now smaller, more agile groups can get in on the action for a fraction of that cost.
“The cost of entry for APT is decreasing,” said Costin Raiu, head of the Global Research and Analysis Team at Kaspersky Lab, in a talk on the threat landscape at the company’s Industry Analyst Summit here Thursday. “We’re going to see more surgical strikes and critical infrastructure attacks.”
One example of this phenomenon is the Icefog group. Discovered last fall, the Icefog attackers targeted a variety of organizations and government agencies in Japan and South Korea and researchers believe the group comprised a small number of highly skilled operators who went after select targets very quickly. Raiu estimated that the Icefog campaign probably required an investment of no more than $10,000. By comparison, he said that the NetTraveler campaign likely cost about $500,000, while Stuxnet was in the range of $100 million.
“Icefog is special because it indicates a new trend of cyber mercenaries, maybe five to ten people that are highly skilled,” Raiu said. “They knew what documents they wanted to steal from each machine and they spent only a few minutes on each machine.”
The massive investment required to create, test and deploy the infamous Stuxnet malware, Raiu said, should not be seen as the ceiling for such APT tools.
“If you’re thinking that’s a lot of money, it’s not,” Raiu said. “It’s the cost of several missiles.”
Missiles, of course, can only be used once; APT tools can be deployed any number of times, and by a wide variety of attackers. It’s often the case that tools written by a high-level group will eventually trickle down through the ranks and be used by less-skilled attackers as time passes. That’s part of the democratization process in the attacker community and it’s only going to accelerate.