Regional SMEs and MSPs are increasingly being targeted by government hacking groups

Regional SMEs and MSPs are increasingly being targeted by government hacking groups

Cybercriminals are increasingly targeting small and medium-sized enterprises (SMEs). These are the results of the latest analysis of Proofpoint experts. Accordingly, hacker groups are increasingly targeting SMEs for financial gain and often exploit their infrastructure as the weakest link in the supply chain. Proofpoint expects a further increase in attacks against SMBs worldwide in 2023.

“Small and medium-sized businesses are increasingly appearing in Proofpoint’s data as targets of government-sponsored cyberattacks,” comments Proofpoint expert Michael Raggi. “Cybercriminals have found it worthwhile to target small companies because they can steal valuable information from there and SMEs are often the weakest link in the supply chain. Proofpoint expects to see a further increase in attacks targeting small and medium-sized businesses in 2023.


Proofpoint researchers conducted a retrospective analysis of small and medium-sized businesses (SMEs) targeted by Advanced Persistent Threats (APT) actors between Q1 2022 and Q1 2023. Using Proofpoint Essentials telemetry covering more than 200,000 small and medium-sized businesses, researchers were able to identify key trends in the APT landscape that pose a unique threat to SMBs. Forensic researchers have identified several APT actors targeting SMBs, including hacker groups with ties to government agencies in Russia, Iran and North Korea.

Understand the threat environment

Most organizations trying to secure their networks focus on protecting against business email compromise (BEC), ransomware, and the off-the-shelf families used in millions of emails every day. However, APT actors and their targeted campaigns are deceptive. These sophisticated cybercriminals are well-funded, highly professional organizations pursuing a specific strategic mission that includes espionage, intellectual property theft, malicious attacks, government-sponsored financial theft, and disinformation campaigns. Some well-known cybercriminal groups specifically target SMEs, which often lack adequate protection against cyber security threats such as phishing campaigns.

APT trends affecting SMEs

Proofpoint researchers analyzed a year’s worth of data from APT campaigns and identified groups from Russia, Iran and North Korea running phishing campaigns against SMBs. These campaigns show three key trends in attack types and tactics:

  • APT actors use compromised SME infrastructures for phishing campaigns
  • APT actors conducting targeted, state-directed and financially motivated attacks on SME financial services.
  • APT actors targeting SMBs launch supply chain attacks.

SME infrastructure is being misused

Authentication experts have seen an increasing number of cases over the past year where an SMB domain or email address has been stolen or compromised. These incidents often involved criminal actors successfully compromising SMB web server or email accounts. This compromise can be achieved by stealing credentials or, in the case of a web server, by using an unencrypted vulnerability. After being compromised, the email address was used to send malicious emails to other destinations. Once an attacker compromises a web server hosting a domain, they can exploit that legitimate infrastructure to host or send malware to other sites.

Proofpoint experts recently identified a prominent example of compromised SMB infrastructure used by APT actor TA473 (known as Winter Vivern in the open source) for phishing campaigns between November 2022 and February 2023. These campaigns targeted organizations of the American and European governments. In March 2023 published Proofpoint Details of emails sent from affected email addresses via TA473. In several cases, these emails came from WordPress-hosted domains, which may not have been patched or insecure during hacking. In addition, unpublished Zimbra email servers were exploited to compromise government agency email accounts. In addition to sending emails through compromised SMB infrastructures, TA473 also used compromised domains of small and medium-sized companies to send malware. Specifically, this actor compromised the domains of a Nepalese handmade clothing manufacturer and an American orthotist to distribute malware through phishing campaigns.

Figure 1: Diagram of TA473 cross-site transmission forgery request
Figure 1: Diagram of TA473 cross-site transmission forgery request

From January to March 2023, Proofpoint researchers found that hackers running phishing campaigns frequently impersonated a medium-sized company based in Saudi Arabia that operates in the automotive industry. This phishing campaign targeting private email addresses in the US and Ukraine can be linked to TA422 (publicly known as APT28). With this campaign, an organization close to the Russian military intelligence service GRU is targeting Ukrainian institutions. Interestingly, it destroys the Middle East center to attack organizations in America and Europe. The threat actor entered a false address in the “MailTo” field of the email header, which may have enhanced his social engineering efforts and impersonated a trusted organization. In practice, this impersonation via the MailTo field results in retrieving emails to the legitimate domain impersonated by the threat actor. This unintended effect of leaked emails allowed Proofpoint experts to gain insight into TA422’s login collection sites, which used the following subdomains to host phishing sites: 42web.[.]ok and ask[.]okay

Finally, in May 2022, Proofpoint experts saw a high-profile case of APT impersonation when TA499 (also known as Vovan and Lexus), a Russian-based, state-sponsored actor invited Ukrainian celebrities to politically motivated video conferences. This player targeted a medium-sized firm representing celebrities in the United States. TA499 tried to recruit a prominent American for a video conference on the Ukraine conflict by impersonating Ukrainian President Volodymyr Zelensky. Proofpoint was able to link this campaign to TA499 because in 2022 the group used a range of email addresses and domains controlled by the parties. More information about TA499 and its activities can be found here.

Figure 2: Timeline of TA499 operations in 2022.
Figure 2: Timeline of TA499 operations in 2022.