Advanced persistent threat (APT) groups can sometimes spend a substantial amount of money mounting attacks on large, well-protected organizations. But for every dollar they spend, the payoff can be four times as much or more, a new study from Positive Technologies has found.
The security vendor analyzed the tools and tactics that 29 active APT groups are currently using in campaigns worldwide against organizations in multiple sectors, including finance, manufacturing, and government.
For the analysis, Positive Technologies looked at how much these groups have been spending, on average, to gain initial access to a target network and how much they are spending on developing the attack after they gain a foothold. The security vendor considered data both for financially motivated APT groups and separately for groups focused on cyberespionage and spying. The data was obtained from Positive Technologies’ monitoring of active threat groups and from Dark Web and publicly available sources.
The exercise shows that the starting price for a full set of tools for attacks on large financial enterprises could be as high as $55,000, while some cyber espionage campaigns can start at over $500,000. But when the attacks are successful. the payoffs can be enormous as well.
For instance “Silence,” a well-known, financially motivated cybercrime group, last year stole the equivalent of $930,000 from Russia’s PIR Bank. To pull off the caper, the group likely spent about $66,000 upfront on tools for creating malicious email attachments, stealing from the bank’s ATMs, spying on the bank’s employees, and on other legitimate penetration testing tools and homegrown malware, Positive Technologies estimates.
In addition, Silence likely forked out between 15% and 50% of the loot on money mules and other services that actually withdrew cash from PIR Bank’s ATMs — still leaving the threat actor with substantially more than it spent.
“The potential benefit from an attack far exceeds the cost of a starter kit, says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. For groups like Silence, the profit from one attack is typically more than quadruple the cost of the attack toolset, she says.
The ROI for some APT groups can be many magnitudes higher. Positive Technologies, for instance, estimated that APT38, a profit-driven threat group with suspected backing from the North Korean government, spends more than $500,000 for carrying out attacks on financial institutions but gets over $41 million in return on average. A lot of the money that APT38 spends is on tools similar to those used by groups engaged in cyber espionage campaigns.
Building an effective system of protection against APTs can be expensive, Galloway says. For most organizations that have experienced an APT attack, the cost of restoring infrastructure in many cases is the main item of expenditure. “It can be much more than direct financial damage from an attack,” she says.
Positive Technologies’ breakdown of attack costs shows that financially motivated APT groups typically spend a relatively low amount on gaining initial access. In nine out of 10 attacks, the threat actors use spear-phishing as a way to penetrate the company’s internal network.
From $100 to Over $1 Million
Tools for creating the malicious attachments — or exploit builders — used in these email campaigns can range from as little as $300 to $2,500 for a monthly subscription to services for creating documents with malicious content. In some cases, exploit builders can cost substantially more. Positive Technologies estimates that the Cobalt Group, a group associated with attacks on numerous financial institutes, in 2017 paid $10,000 for malware it used in phishing emails to exploit a remote code execution vulnerability in Microsoft Office.
Meanwhile, APT groups that are focused on spying and cyber espionage rarely buy their initial access tools from Dark Web marketplaces and instead tend to use custom exploit builders. Prices for these are impossible to estimate, but evidence shows such groups are willing to pay even $20,000 for these tools, Positive Technologies said. For zero-day vulnerabilities, some APT groups don’t flinch at paying as much as $1 million.
Once inside a network, APT groups — both the financially motivated ones and the cyberspies — tend to rely heavily on legitimate, publicly available tools and custom products rather than Dark Web tools. The most commonly used legitimate tools are penetration-testing platforms such as Cobalt Strike and Metasploit, Galloway says. Legal utilities for administration, such as Sysinternals Suite, and remote access tools, like TeamViewer, Radmin, and AmmyAdmin, are all popular as well.
While these tools can be obtained legally via public access, APT actors are often forced to shop for them in underground forums because of how some vendors vet their buyers before selling to them. Prices for these tools can range from as little as $100 for a modified version of TeamViewer to $15,000 for a modified version of Metasploit Pro with one year of technical support.
The cost for some specialized tools that APT groups use can be relatively steep. Tools for escalating OS privileges can easily cost $10,000, while those that take advantage of zero-day vulnerabilities in Adobe products, for instance, can fetch over $130,000. Positive Technologies estimates that cyber espionage group FinSpy has spent some $1.6 million on FinFisher, a framework that allows it to spy on users through webcam and microphone, capture email and chat messages, steal sensitve data, and employ a variety of anti-analysis techniques.
These tools can be hard to defend against, which is why many APT groups are willing to spend on them. “It is almost impossible to stop APT attacks at the stage of infrastructure penetration, and it is extremely difficult to do it at the stages of consolidation and distribution in the infrastructure,” Galloway says.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio