While businesses focus on Business Email Compromise (BEC), ransomware, and commodity malware, a major cyber-threat is moving right under their radar: Advanced Persistent Threat (APT) actors.

A new report from cybersecurity researchers, Proofpoint argues multiple APT actors are specifically targeting SMBs, with goals ranging from cyber-espionage, to intellectual property (IP) theft, from disinformation campaigns, to outright destructive behavior. 

In some instances, APTs are also looking for money, especially when targeting blockchain firms and decentralized finance (DeFi) solutions.

Aligned interests

It’s also not uncommon for these APTs to have “aligned interests” with countries such as Russia, Iran, or North Korea, the researchers added. These groups are also quite formidable adversaries, the report claims. 

The researchers describe them as “skilled threat actors,” which are well-funded and with a clear goal in mind. Their modus operandi usually includes phishing. First, they would either impersonate, or take over, an SMB domain or email address, and then use it to send a malicious email to subsequent targets.  

If an APT compromised a web server hosting a domain, they’ll then use it to host, or deliver, malware to third-party targets. 

One such group is TA473, also known as Winter Vivern. This APT was observed targeting US and European government entities with phishing emails between November 2022 and February 2023. The group had used emails coming from either unpatched, or unsecure WordPress hosted domains, to target its victims. It also used unpatched Zimbra web mail servers to compromise government entity email accounts. 

When all is said and done, the APT phishing landscape is growing “increasingly complex”, the researchers are saying, adding that the threat actors are “avidly looking” to target vulnerable SMBs and regional MSPs.