Small and medium-sized businesses (SMBs) are increasingly being targeted by advanced persistent threat (APT) actors globally, Proofpoint has found.
In a new report published on May 24, 2023, the Proofpoint research team saw that state-aligned threat actors from Russia, Iran and North Korea were specifically targeting SMBs across the world in in phishing attacks conducted in 2022 and 2023.
The researchers have identified three main trends explaining the phenomenon:
- State-aligned actors compromise SMBs infrastructure via phishing campaigns
- State-aligned actors target medium-sized financial organizations to steal money
- State-aligned actors attack regional managed service providers (MSPs) to initiate supply-chain attacks
Proofpoint researchers observed more instances of impersonation or compromise of an SMB domain or email address over the course of 2022 than previously. These occurrences often involved a threat actor successfully compromising an SMB web server or email account through credential harvesting or unpatched vulnerability exploitation.
Some major APT groups identified by Proofpoint using this technique include three Russian-aligned groups: Vovan, also known as Lexus (TA499), which targeted a medium-sized business that represents major celebrity talent in the US in March 2022; Winter Vivern (TA473), which conducted phishing campaigns targeting US and European government entities from November 2022 through February 2023; and Fancy Bear, or APT28 (TA422), in an ongoing campaign targeting Ukrainian entities.
According to Proofpoint’s findings, APT groups targeting SBMs for financial theft typically come from North Korea. For example, Proofpoint researchers observed that, in December 2022, North Korea-aligned TA444 group infected the IT systems of a medium-sized digital banking institution in the US with the CageyChameleon malware following a phishing attack.
Finally, Proofpoint researchers found that APT threat actors were increasingly using MSPs as an attack vector to reach SMBs and other companies in what is commonly called supply chain attacks.
“Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses. APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end-user environments,” Proofpoint’s report noted.
One instance of this trend comes from Muddywater (TA450), allegedly linked to Iran’s Ministry of Intelligence and Security, which attacked two Israeli regional MSPs and IT support businesses via a phishing email campaign in mid-January 2023.
Findings from Proofpoint’s report came from a retroactive analysis of over 200,000 SMBs from Q1 2022 through Q1 2023.