Kaspersky: Geopolitics is key driver of APT in Southeast Asia

In the first three months of 2019, Kaspersky Lab researchers observed an active landscape of advanced threat operations that was centered mainly on Southeast Asia, increasingly influenced by geopolitics, and which featured cryptocurrency and commercial spyware attacks as well as a major supply-chain campaign. These and other trends are covered in Kaspersky Lab’s latest quarterly threat intelligence summary.

The quarterly APT trends summary is drawn from Kaspersky Lab’s private threat intelligence research, as well as from other sources, and highlights the main developments that researchers believe everyone should be aware of. The APT trends report for Q1 summarizes the findings of Kaspersky Lab’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting.


In the first quarter of 2019, Kaspersky Lab researchers observed a number of interesting new developments. The defining APT campaign reported during the quarter was operation ShadowHammer, an advanced, targeted campaign using the supply-chain for distribution on an incredibly wide scale, combined with carefully implemented techniques for the precision targeting of intended victims.

“Looking back at what has happened during a quarter is always a surprising experience,” said Vicente Diaz, principal security researcher, Global Research and Analysis Team, Kaspersky Lab. “Even when we have the feeling that “nothing groundbreaking” has occurred, we uncover a threat landscape that is full of interesting stories and evolution on different fronts – including, in Q1, sophisticated supply chain attacks, attacks on cryptocurrency and geopolitical drivers. We know that our visibility is not complete, and there will be activity that we do not yet see or understand, so just because a region or sector doesn’t appear on our threat intelligence radar today doesn’t mean it won’t in the future. Protection against both known and unknown threats remains vital for everyone.”

The report also saw that geopolitics is featured as a key driver of APT activity with often a clear correlation between political developments and targeted malicious activity.


Southeast Asia remained the most frenetically active region of the world in terms of APT activity, with more groups, more noise, and more sets of activity targeting the region than elsewhere.

Russian-speaking groups kept a low profile in comparison with recent years. This could be due to an element of internal restructuring, although there remained a steady drumbeat activity and malware distribution by Sofacy and Turla.

Chinese-speaking actors continued to maintain a high level of activity, combining both low and high sophistication depending on the campaign. For example, the group known to Kaspersky Lab as CactusPete, active since 2012, was observed in Q1 with new and updated tools, including new variants of downloaders and backdoors and an appropriated and then repackaged VBScript zero-day belonging to the DarkHotel group.

Providers of “commercial” malware available to governments and other entities seem to be thriving; researchers observed a new variant of FinSpy in the wild, as well as a LuckyMouse operation deploying leaked HackingTeam tools.

Image by Tamas Kauffman / Pixabay