Cybercriminals are following the latest cybersecurity news as much if not more than their victims, according to recent reports.
Threat Vector researchers have noted several instances of threat actors adapting to publications exposing their methods and changing tactics as they are reported on.
Earlier this year, threat actors behind the Promethium, a.k.a. StrongPity, malware made several changes after researchers at several organizations exposed aspects of both their malware toolset and the methods used by the group to deploy said malware, according to an Oct. 24 blog post.
Two months after it was reported, researchers spotted the Promethium/StrongPity activity using new infrastructure that included new domains registered two weeks after a Citizen Lab report exposed the malware.
As new information was published, the threat actors continued to modify the malware with minimal effort and code changes to stay out of the limelight using modifications including new domains, new IP addresses, filename changes, and small code obfuscation changes.
Researchers noted the groups behind the Promethium/StrongPity malware will likely continue to adapt to security publications that publish them.
“It’s clear they have significant resources at their disposal and will continue to evolve as necessary,” researchers said in the post. “Only minor adjustments are needed to be effective as the information security world constantly shifts its focus to the next big news item.”
In order to combat these threats, researchers said defenders should think historically and examine the “living memory” of threat actor behavior and their campaigns as it relates to the target organization and that of the greater intelligence community.
This world allow potential targets to remain attentive to potential threats learning from the past tactics of older threat groups that may not have moved on from their initial targets.