Positive Technologies, the leader in result-driven cybersecurity, has published a comprehensive study of APT groups1 active in ASEAN countries2. Most attacks in the region occur in the Philippines and Vietnam. The three most targeted sectors in the region are government institutions, telecommunications companies, and the defense industry.
According to the study, the five ASEAN member states suffering the most attacks from APT groups are the Philippines (85%), Vietnam (85%), Thailand (70%), Malaysia (70%), and Indonesia (60%)3.
"Southeast Asia is a crucial region both in terms of geopolitics and the global economy. We have analyzed the activity of 20 APT groups that targeted Southeast Asia from January 2020 to April 2024. All of them targeted government organizations in the region. Telecommunications companies were also under threat, with 60% of the APT groups targeting them. Every second APT group targeted the defense industry. «In addition, over a third of the cybercriminal groups targeted such sectors as science and education (45%), industry (40%), and finance (35%)," observed Yana Avezova, Senior Information Security Analyst at Positive Technologies.
The widespread deployment of 5G technology in the region also puts telecommunications in the crosshairs of cybercriminals. As the adoption of new technology in Southeast Asia outpaces the current ability of cybersecurity to adapt, the rapid deployment of 5G telecommunications could lead to an increase in cyberattacks in this sector.
According to Positive Technologies analysts, three-quarters of the APT groups covered in the study start their cyberattacks by sending phishing emails, and half of them exploit vulnerabilities in publicly accessible systems, such as Microsoft Exchange servers. Phishing campaigns are often timed to coincide with significant regional events, including ASEAN summits. Some APT groups (30%) employ watering hole attacks at the initial phase, injecting websites with scripts that covertly download malware to visitors' computers.
Once the attackers have penetrated the network, they begin to explore the environment. According to Positive Technologies, the majority (80%) of APT groups aim to identify as many users of the compromised hosts as possible. This information can be used to elevate privileges or strike deeper into the infrastructure. The study shows that 70% of the APT groups gather network configuration data and browse through files and directories in search of valuable information. In addition, 60% of the APT groups study the processes running on a host to gain an understanding of the security tools installed.
The APT groups employ a multitude of tools, including unique proprietary software. On top of this, all the attackers also make use of some of the legitimate tools already present in the compromised system. This allows them to disguise their actions as those of legitimate IT personnel, thereby avoiding detection. Most APT groups (70%) leverage the extensive capabilities of Cobalt Strike, which was originally designed as a commercial penetration testing tool. For instance, the Earth Longzhi subgroup of the APT41 group used specialized versions of Cobalt Strike loaders with sophisticated evasion mechanisms in their attacks on organizations in the Philippines, Thailand, Malaysia, and Indonesia. Combined with other techniques, this allowed the attackers to remain undetected in the victims' infrastructure from September 2021 to June 2022.
To counter APT attacks and build an effective defense system, Positive Technologies recommends that organizations focus on maintaining the fundamentals of the result-driven cybersecurity approach:
- An IT asset inventory
- Incident monitoring and response
- Cybersecurity awareness and training
- Security assessments
Discover the full range of tactics and techniques used by APT groups operating in Southeast Asia in the study available on the Positive Technologies website.
- An APT group is a cybercrime group that conducts multi-stage, carefully planned attacks targeting a specific industry or multiple industries.
- The study only covers APT attacks in the member states of the Association of Southeast Asian Nations (ASEAN), which includes Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand, and Vietnam.
- These are the percentages of the total number of APT groups examined in the study.
