Trends in targeted attacks

What you need to know to prevent financial and reputational losses.

In just the first quarter of 2017 we released 33 private reports for subscribers of Kaspersky Intelligence Services. Surprised? Don’t be: For every big, splashy cyberattack that makes the news, you can be sure our experts have been tracking hundreds of threats and other factors behind the scenes. Much of the detective work Kaspersky Lab’s GReAT (Global Research and Analysis Team) experts do consists of scrupulous study of numerous factors, systematization of findings, and identification of anomalies.

In fact, at present, GReAT is tracking more than a hundred threat actors and sophisticated malicious operations in more than 80 countries. GReAT’s reports contain not only theoretical information about threats, but also detailed indicators of infection, as well as YARA rules, which help to investigate incidents and target malware.

Based on their research , we’ve identified certain trends in the world of targeted attacks in the first quarter of this year. Learning about them can help businesses avert financial and reputational losses.


  • Wiper malware, capable of destroying the data on victims’ computers, is a favored new tool. This kind of malware can grind business processes to a halt throughout a company. It also can sweep away traces of a threat actor’s presence on the network, further complicating expert analysis of the attack. Shamoon and StoneDrill, which we reported about in early March, are examples of wipers.
  • APT attacks, once used mainly for sabotage or cyberespionage, are now increasingly means to enrich attackers directly. In the case of Shamoon, for example, our researchers found a module that can work as cryptomalware. Other groups are already actively using encryptors in targeted attacks.
  • Financial focus. Experts identified the BlueNoroff group associated with Lazarus in attacks on Polish banks. (The well-known 2014 cyberattack on Sony was attributed to Lazarus as well.) However, the newly discovered attackers’ goals seem to be purely financial. They infested banks and placed exploits on the website of a Polish financial regulator. Our experts consider this group one of the most dangerous threats to banks at the moment.
  • Fileless malware. Increasingly used in APT attacks, fileless malware is difficult to detect as well as to investigate after an incident.

You can find Securelist’s complete report on APT attacks here.

What can you do?

Now that you’ve been forewarned about current trends, how can you forearmed as well? Common cybersecurity wisdom still applies. First, identify and eliminate vulnerabilities, which continue to be very popular means of infiltration. Install patches right away and use a security solution, such as Kaspersky Endpoint Security for Business, that finds vulnerabilities and manages patch installation.

Second, expand your defensive arsenal beyond endpoint security solutions. Ideally, use tools that can detect anomalies in all processes running on the corporate network — in particular, our Next Gen Kaspersky Anti Targeted Attack Platform. The solution is built on what we call HuMachine Intelligence, a fusion of threat intelligence, machine learning technologies, and human expertise.

Be proactive about looking for gaps in your defense system rather than waiting for threat actors to expose them. It is best to entrust this matter to experts who, through detailed infrastructure research and penetration tests, can not only detect vulnerabilities, but also make recommendations to fix them.

And, of course, stay informed. To effectively protect yourself against APT attacks, you need to understand current trends. The same experts who analyze the larger threat landscape can also help you with this task, providing you with reports that are not available to the general public. For more information on Kaspersky Lab’s subscriber-only threat intelligence reports, please contact: