How APTs target SMBs

Small and medium businesses (SMBs) are not exempt from being targeted by advanced persistent threat (APT) actors, according to Proofpoint researchers.

By analyzing a year’s worth of APT campaign data they collected from the 200,000+ SMBs that have their security solution deployed, they pinpointed three main trends of attacks targeting SMBs in the space of a year (Q1 2022 to Q1 2023).

SMBs are easy targets

ATP actors are highly skilled and often state-sponsored groups with distinct strategic goals. These goals range from espionage and intellectual property theft to destructive attacks, state-sponsored financial theft, and disinformation campaigns.

Unfortunately, SMBs often lack adequate cybersecurity measures, making them vulnerable to all kinds of cyber threats. APT actors exploit this weakness by targeting SMBs as a stepping stone towards achieving their larger goals (and compromising governments, military organizations, and corporations).

APT actors targeting SMBs

There are three notable trends in the types of attacks and tactics used by APT actors against SMBs:

1. Leveraging compromised SMB infrastructure in phishing and malware delivery campaigns

APTs gain access to an SMB’s web server/domain or an email account, often by exploiting unpatched vulnerabilities or by stealing login credential.

The email address is used to send out malicious emails to further targets, and the web server to host and deliver malware to unsuspecting victims.

2. State-aligned financial theft

SMBs’ finance departments are also targeted by ATP groups (usually North Korean) that aim to steal funds and/or cryptocurrency, to “sponsor” governmental operations.

These threat actors often employ phishing emails that look like they have been sent by legitimate companies to deliver malware and gain access to company bank accounts and cryptocurrency wallets.

3. Targeting regional MSPs to mount supply chain attacks

“Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses. APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end user environments,” the researchers pointed out.

By compromising regional MSPs within geographies that align with the strategic collection requirements of APT actors, threat actors can gain access to multiple SMBs to extract sensitive information or execute further attacks.