Proofpoint has discovered that small and medium-sized businesses (SMBs) around the world are increasingly being targeted by advanced persistent threat (APT) attackers.
In a new report released May 24, 2023, Proofpoint’s research team found that attackers aligned with the Russian, Iranian, and North Korean nations were involved in phishing attacks conducted in 2022 and 2023. We have confirmed that we are specifically targeting small businesses around the world.
Researchers have identified three main trends that explain this phenomenon.
- State-aligned attackers compromise SME infrastructure through phishing campaigns
- State-linked attackers target medium-sized financial institutions to steal funds
- State-aligned attackers launch supply chain attacks by attacking regional managed service providers (MSPs)
Proofpoint researchers observed more instances of SMB domain or email address spoofing and compromise throughout 2022 than in previous years. These incidents often included attackers compromising her SMB web servers and email accounts through credential harvesting and exploitation of unpatched vulnerabilities.
Read more: How to Design an Effective Cybersecurity Awareness Training Program for SMB Employees
The major APT groups identified by Proofpoint using this technique include three groups of Russian descent. One, Vovan, also known as Lexus (TA499), in March 2022 targeted mid-market companies representing major US celebrity talent. Winter Vivern (TA473) conducted phishing campaigns targeting US and European government agencies from November 2022 to February 2023. Fancy Bear, aka APT28 (TA422), has joined an ongoing campaign targeting Ukrainian organizations.
According to Proofpoint’s findings, APT groups targeting SBMs for financial theft typically come from North Korea. For example, Proofpoint researchers found that in December 2022, a North Korean-linked TA444 group infected her IT systems at a medium-sized U.S. digital banking institution with his CageyChameleon malware following a phishing attack. observed.
Finally, Proofpoint researchers found that APT attackers are increasingly using MSPs as an attack vector to reach SMBs and other enterprises, commonly referred to as supply chain attacks.
“Regional MSPs often protect hundreds of small businesses within their region, many of which maintain limited and often non-enterprise-grade cybersecurity defenses. “Persons appear to have noticed a discrepancy between the level of protection provided and the potential opportunity to access the desired end-user environment,” says Proofpoint’s report.
One example of this trend comes from Muddywater (TA450), which is believed to have ties to the Iranian Ministry of Information and Security, which targeted two Israeli regional MSPs and two IT support firms through a phishing email campaign in mid-January 2023. attacked
Proofpoint’s report results are derived from a retrospective analysis of more than 200,000 small businesses from Q1 2022 to Q1 2023.
