2.1 Description of ThreatThe main causes of these attacks is that the targeted attack groups want to influence public opinion, create distrust and influence political outcomes by stealing and leaking data. These attackers have economic and political motives as well. The reason why attackers move to espionage, subversion and sabotage is that zero-day vulnerabilities and customised malware has become less effective. If the attackers are successful, they will be able to sow discord and confusion to many countries.

2.2 Nature of ThreatAttackers have a wide range of tactics to use when attacking. One such tactic is called ‘Living off the land’. These attackers would use email as a platform to spread their malware which were in the form of Microsoft Word or Excel files, etc OR spread malicious links, which would contain links that when clicked, would automatically download these Word or Excel files.These method of sending these kind of email is usually called spear-phishing.

For the attacker to execute a successfully spear-phishing attack, the attacker will have to gather information from the target. This information is then used to personalize the email. To truly consider an email a spear-phishing email, firstly, it would need to appear to be from a trusted individual, usually from someone higher up or someone the target implicitly trust. Secondly, the information within the email must support its validity and lastly, the request within the email must seem logical (e.g. “Google” reminding you that you haven’t changed you password in a while).Now back to the attack.

The file that was attached to the email contains a macro (or something like a batch file) that would run a PowerShell script that would provide remote access and perform basic reconnaissance of the computer. If the computer is of interest, the macro will install a malware which would provide a backdoor to the target’s network.Once installed, the attacker can use a multitude of legal administrative and penetration testing tools to scout the target’s network to find computers containing sensitive information. Some of these tools used by attackers are: PsExec, a tool used for executing on other systems, Netscan, a multipurpose IPv4/IPv6 network scanner, Mimikats, a hacking tool used to extract credentials, etc.Once the scouting operation is complete, the attacker will install another malware through the backdoor on the chosen computers.

This malware will then trigger a disk-wiping payload at a set time on all chosen computers, boosting the impact of the attacks.These attacks mostly affect governments and businesses. The attackers attack the government to destabilise the political environment and to expose the possible wrong doings of the government. The reason why attackers attack business is due to their economic motives. These attackers can steal the data of the business and sell the data back for an exorbitant price to the business or they can auction off the data to rival companies.

Another reason why they attack businesses is to destabilise the economic environment.2.3 Mitigation of ThreatThese attacks mostly affect governments and businesses.

The attackers attack the government to destabilise the political environment and to expose the possible wrong doings of the government. The reason why attackers attack business is due to their economic motives. These attackers can steal the data of the business and sell the data back for an exorbitant price to the business or they can auction off the data to rival companies. Another reason why they attack businesses is to destabilise the economic environment.To minimize the threat, targets should have multiple, different defensive systems that complement each other. These systems can be regular updated firewalls, gateway antivirus, intrusion detection or protection systems, etc.

The targets should also deploy full protection stack as it provides complete protection from most angles.