According to the latest threat report 26% of all detected threat activity was directed towards government systems. Business service providers followed closely at 16%, wholesalers’ networks at 14%, and 12% on utilities’ systems. With most threat activity peaking on Mondays and Fridays.
“Despite not experiencing a significant surge in detections since the first quarter, we have noticed a worrisome trend of specialised, well-equipped and highly skilled threat actors,” reveals Carlo Bolzonello, country lead at Trellix South Africa. “What's even more alarming is their interconnection with extensive networks and potential state support, indicating a coordinated and sophisticated approach to their malicious activities.”
Trellix’s data further revealed that the Lazarus Group and Daggerfly Advanced Persistent Threats (APT) Group were among the most notable threat actors that have recently ramped up targeted efforts to infiltrate critical South African systems.
The Lazarus Group, historically associated with a North Korean state-sponsored APT syndicate, initially operated as a criminal group, with its earliest known attacks reported between 2009 and 2012. It has since been linked to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Lazarus deploys tools and capabilities used by broader HIDDEN COBRA operations (cyber activity by the Korean Government), which include:
- DDoS botnets: for denial-of-service attacks,
- keyloggers: to record what users’ input,
- remote access tools (RATs): allowing anonymous unauthorised users access, and
- wiper malware: to erase data from the system.
Lazarus is notorious for executing spear-phishing campaigns aimed at accessing and stealing account credentials and financial data, as well as employing "living off the land" techniques, using fileless malware and legitimate system tools.
On the other hand, the Daggerfly APT, suspected to have affiliations with China, has been exhibiting heightened activity in Africa, with a particular emphasis on targeting telecommunications organisations. This threat actor's primary objective is information gathering leveraging the following methods:
- PlugX loaders, which abuse any desktop remote software, and
- Living off the land tooling (like PowerShell, BITSAdmin and GetCredManCreds), which is heavily used for long-term campaigns that can go undetected for extended periods.
“What makes some of the tools used by threat actors so destructive is their trail obfuscation capabilities,” Bolzonello says. “They employ various techniques, such as hiding backdoors and manipulating time stamps, skilfully giving the impression that their malicious artifacts date back as far as ten years ago. This renders the analysis process exceedingly challenging for investigating teams.”
“What is even more concerning is that these adversaries are highly proficient in evasion tactics, leaving organisations believing they have eliminated the threats, when in reality, they may still lie concealed,” he adds. Trellix’s extended detection and response (XDR) platform provides operators robust support to detect and mitigate even the most sophisticated attacks.
Built on the native and open Trellix system architecture, XDR allows operators to seamlessly integrate with third-party data sources. The platform features the capability to analyse data from over 650 security tools, and through the Trellix Advance Research Centre, XDR provides actionable insights for a highly responsive and effective security strategy.