The Crystal Ball of Facts: 2015 APT predictions

Kaspersky Lab experts shared their predictions on the evolution of APT. While these predictions may not come true, they are based on facts and trends already observed.

2014 is wrapping up with a bang – the Sony Pictures megahack – to be exact. However this post isn’t about looking back, but rather looking forward and making some educated predictions based on the events of 2014. Kaspersky Lab has revealed its new study, “A Look into the APT Crystal Ball“. It doesn’t include witchcraft, tarot cards, or summoned spirits. All predictions are based purely on the facts and trends observed this year.

What does the future (possibly) hold regarding APTs?

Our Global Research and Analysis Team (GReAT) experts assume that a merger between cyber-crime and APT will take place. This means cybercriminals will be targeting the end users less and larger entities more. This is a troubling development for businesses, especially those (like banks) dealing with a lot of money transfers.

“In a number of incidents investigated by Kaspersky Lab experts from the Global Research and Analysis Team, several banks were breached using methods straight out of the APT playbook. Once the attackers got into the banks’ networks, they collected enough information to enable them to steal money directly from the bank in several ways: 

  • Remotely commanding ATMs to dispense cash.
  • Performing SWIFT transfers from various customer accounts,
  • Manipulating online banking systems to perform transfers in the background.”

Of course, criminals prefer to keep it as simple as possible, and while it isn’t easy to penetrate banks’ cyber defenses, it’s definitely much more profitable than picking “crumbs” from the end-users.

GReAT also expects fragmentation of the larger APT groups into smaller, more elusive ones. This, in turn, may lead to diversification of the attacks, as well as a “more widespread attack base.” Simply put, this means more companies will be hit, including those compromised before.

More emphasis will be made on evasion techniques

APT criminals are well aware that they are being sought after and some even get discovered from time to time, which is bad for their business. APT stands for “advanced persistent threat”, and “persistent” doesn’t mean “one-off.” Criminals want to stay stealthy and keep a foothold within their target’s infrastructure for as long as possible while inflicting more harm.

New sources of the attacks are also expected.

The Darkhotel APT we wrote about earlier was targeting high-profile individuals such as corporate CEOs and governmental officials via free WiFi networks in a number of hotels. While unexpected, it’s hard to imagine a more perfect position to launch the targeted attacks. However, criminals are quite resourceful these days, so there’s no telling where the origin of their strikes may be in the future. And even if there were, we’re not going to suggest ideas to criminals.

Data exfiltration is also a point of special interest for criminals who want to stay hidden over a prolonged period of time.

APT groups are expected to adopt use of cloud services in order to make exfiltration stealthier and harder to notice.

Gone are the days when attackers would use a plain backdoor to siphon terabytes of information to FTP servers worldwide: actions like this are certain to be intercepted and halted. Today, more sophisticated groups regularly use SSL and custom communications protocols.

According to Securelist, “Some of the more advanced groups rely on backdooring networking devices and intercepting traffic directly for commands. Other techniques we have seen include exfiltration of data to cloud services, for instance via the WebDAV protocol (facilitates collaboration between users in editing and managing documents and files stored on web servers). These have resulted in many corporations banning public cloud services such as Dropbox from their networks. However, this remains an effective method of bypassing intrusion detection systems and DNS denylists.”


APT criminals will most likely take a more active approach to throwing security researchers off their scent.

Whether the attacks come from private attackers or from “cyber-armies” backed by nation states, they would prefer to keep their origins concealed. And just like cybercriminals use spoofed IP addresses to cover their activities, they will try to “plant the evidence” of their origin, so that fingers point in the wrong directions.

This theory is substantiated with real evidence: In 2014 we observed several “false flag” operations where attackers delivered “inactive” malware commonly used by other APT groups.

The recent hack of Sony Pictures asks tough questions about the origin of that attack. Initially the first suspect was North Korea, however as more information arrived, this has become less and less certain. It is possible someone simply tried to make everyone think North Koreans were at fault.

GReAT experts suggest that in 2015, APT groups will be carefully adjusting their operations and throw fake flags into the game.

Preparedness is still key

The origin of an attack is not as important as being ready for the attack. However, it’s probably more appealing for an APT victim to claim they’ve been hit by some dreaded nation’s cyber army than by a bunch of miscreants, who probably didn’t write the software used – especially in such cases when it is actually the victim’s own cybersecurity shortcomings that made the APT attack possible.

In 2015 we will probably hear a lot about new techniques cybercriminals are using, taking their stealth, persistence, and efficiency of data exfiltration to the next level. Some new techniques have already been observed this year, and Kaspersky Lab used this data to develop and deploy several new defense mechanisms for our users.

  • To read about these and more new trends in the APT world, please visit the Securelist blog.
  • To watch Kaspersky Lab’s video “Game of cyber-thrones: attacks on the corporate sector and business executives in 2014”, please click here.
  • To read more about key events that have defined the threat landscape in 2014, please read the full report on the Securelist website.

As an added bonus, Kaspersky Lab is launching an interactive project, the ‘Targeted Cyberattack Logbook’ today.  This chronicles all the complex cyber-campaigns, or APTs (advanced persistent threats) that have been investigated by the company’s world-leading Global Research and Analysis Team. To explore the logbook, please visit .