The threat actor APT31 (AKA Judgment Panda and Zirconium) has been linked to recent industrial attacks in eastern Europe, according to the latest findings from Kaspersky Threat Intelligence.
The cybersecurity company published the third installment of their investigation earlier today. Building upon their previous findings, Kaspersky’s latest research spotlights previously undiscovered aspects of APT31’s strategies.
The report highlights the threat actor’s meticulous approach to crafting dedicated implants specifically designed for data collection and exfiltration from targeted networks and air-gapped systems, in particular.
Notably, the threat actor misused popular cloud-based services like Dropbox and Yandex Disk to exfiltrate stolen data. These platforms were leveraged as part of a calculated strategy to evade detection and amplify the impact of data breaches.
What also sets APT31’s activities apart is the calculated use of encrypted payloads, memory injections and DLL hijacking to mask their actions.
Kaspersky’s investigation revealed more than 15 unique implant variants, classified into three distinct categories based on their functions.
Read more on these categories: APT31 Implants Target Industrial Organizations
While these categories are not new, Kaspersky’s research uncovered a deeper level of intricacy in APT31's methodology. The dedicated implant for local file gathering, for instance, exhibited a clever use of DLL hijacking to maintain persistence by injecting payloads into legitimate processes.
“Our comprehensive analysis underscores the adaptability of threat actors in their pursuit of sensitive data,” commented Kirill Kruglov, senior security researcher at Kaspersky ICS CERT.
“By unraveling the mechanics of these advanced implants, we provide the cybersecurity community with crucial knowledge to fortify defenses against increasingly sophisticated attacks.”
To defend against these threats, Kaspersky recommends regular security assessments on OT systems, establishing continuous vulnerability assessments and prompt updates for OT network components.
The company also recommended using integrated attack detection solutions and enhancing incident response skills through dedicated training for IT security teams and OT personnel.