The 2024 cyberwar playbook: Tricks used by nation-state actors – Source: www.csoonline.com

In 2024, nation-state cyber activity was off the charts, with Chinese, Russian, and Iranian actors leading the charge. Their campaigns weren’t just relentless — they were innovative, using a crafty mix of Tactics, Techniques, and Procedures (TTPs) to gain footholds, stay hidden, and spy-like pros.

“There was definitely a continued and noted uptick in nation-state activity in 2024,” said Chris Hughes, a cyber innovation fellow at the US government’s Cybersecurity Infrastructure and Security Agency (CISA). “Some of the largest activities in 2024 included from Chinese APTs, such as Volt Typhoon and Salt Typhoon.”

No single TTP was the main player on its own. Instead, they worked together (often mutually inclusive) like puzzle pieces, each playing a role in the bigger picture. One actor, for example, might deploy spear-phishing to gain entry, exploit zero days for privilege escalation, and use wiper malware to cover their tracks — all in the same campaign.

While these actors operated full-blown strategies with many moving parts, here are a few key TTPs that defined nation-state cyber warfare in 2024.

Backdooring critical systems for sneaky attacks

In a trademark move, nation-state attackers got extremely savvy, often slipping backdoors into critical systems to hang around and strike again later. Speaking specifically about the US offenders Hughes said, “Rather than being financially motivated, they were more focused on espionage and embedding themselves in US critical infrastructure for future attacks.”

While most nation-state actors use some form of persistence in compromised systems, these campaigns stood out as the top examples of such efforts in 2024.

1. Salty two-year streak: In the “pursuit of sensitive information,” Chinese APT group Salt Typhoon (aka Earth Estries, Ghost Emperor, Famous Sparrow, or UNC 2286) was revealed in September to have infiltrated multiple US Telecommunication providers, including Verizon, Lumen Technologies, T-mobile and AT&T, and established persistence since at least 2 years by employing the modular GhostSpider backdoor that had the “heartbeat” command facility for periodic communication. 
2. A tickly Peach: Iranian hacker group Peach Sandstrom (also tracked as APT33) was found in August to have been active for over a decade, focusing on critical infrastructure sectors including the space industry. The group introduced a new multistage backdoor malware named “Tickler,” allowing remote access and persistence within victim networks after initial compromise through password spraying or social engineering. 

As mentioned earlier, it’s important to note that the backdoors used for persistence were often part of larger setups that also included features for exfiltrating sensitive data.

Lucky breaks through critical zero-days

Before they could plant any backdoor for persistence and future attacks, the cross-border offenders first needed to break into these systems. To do so, they relied on a range of methods, with zero-day exploits proving to be the most effective in 2024.

“CISA published their most exploited vulnerability list recently and of those, more than half were zero days at the time, showing an uptick in zero-day vulnerabilities, and impacting organizations before they even know they’re vulnerable or are able to apply patches from vendors,” Hughes added.

A few leading zero-day abuses by nation-state actors in 2024 included:

1. Hole in the tankers: In recent months, the Iran-linked group APT34 (also known as OilRig and Earth Simnavaz) targeted the UAE and Gulf region by exploiting the CVE-2024-30088 Windows privilege escalation flaw (CVSS 7/10). This allowed them to escalate privileges, deploy a backdoor, and exfiltrate sensitive data from compromised Microsoft Exchange servers, using the ngrok tool for lateral movement within networks.
2. Fortinet fiasco: Nation-state threat actors, likely including Volt Typhoon, actively exploited a critical vulnerability in FortiManager(CVE-2024-47575), which had a CVSS score of 9.8/10. The “missing authentication for critical function” flaw allowed attackers to execute arbitrary code via crafted requests. No malware or backdoors were found in the compromised systems. Fortinet previously warned users to patch N-days against known nation-state exploitations.
3. Chained Ivanti duo: In early 2024, two zero-day vulnerabilities in Ivanti’s VPN products, CVE-2023-46805 and CVE-2024-21887, were discovered to have been exploited by Chinese state-backed actors for an attack chain. These flaws allowed for remote code execution, which let the attackers steal configurations, alter files, and establish reverse tunnels. The attackers targeted critical industries like healthcare and manufacturing, employing advanced techniques to move laterally within networks and access sensitive data.

Phishing hooks still yielded

While nation-state actors loved zero days for swift break-ins, phishing remained a sly plan B. It let them craft sneaky schemes to worm into systems, proving that 2024 was the year of both bold strikes and artful cons.

Russian nation-state actors leaned heavily on phishing in 2024, with other APTs, like Iranian and Pakistani groups, dabbling in the tactic as well. The following are some of the standout campaigns from 2024 where phishing was the go-to for initial access.

1. Blizzard of attacks: Russian hacking group Midnight Blizzard (APT29), linked to Russia’s SVR, launched a spear-phishing campaign targeting U.S. officials, academics, and defense and NGO sectors, Microsoft revealed. Since October 22, 2024, they’ve used RDP files signed with LetsEncrypt certificates, disguised as emails from Microsoft staff, referencing AWS and Zero Trust. The tactic connected victims’ devices to hacker-controlled servers, granting access to local resources and persistent control. CERT-UA and Amazon also flagged this global threat.
2. Rival Espionage: Pakistani threat actors, identified as UTA0137, launched a targeted phishing campaign against Indian government systems, using fake Defense Service Officer Provident Fund (DSOP) forms to deliver malware. The campaign exploited the custom Linux-based BOSS operating system, with the malware DISGOMOJI employing Discord emojis for stealthy communication. Once inside, the malware exfiltrated sensitive system data, scanned USB devices, and leveraged outdated vulnerabilities like Dirty Pipe (CVE-2022-0847) for privilege escalation.
3. Iranian social engineering: Iranian state-sponsored group APT42, tied to the IRGC-IO, launched enhanced phishing campaigns in May, impersonating journalists and event organizers to target NGOs, academia, activists, and media. By luring victims to malicious links or decoy materials, the group harvested credentials from fake Microsoft, Google, or Yahoo login pages, bypassing MFA through cloned websites and push notifications. Alongside credential theft, they deployed custom backdoors like TAMECAT and NICECURL via phishing, enabling flexible access for further espionage within cloud environments.

While credential harvesting through malware delivered via phishing was fairly common, nation-state actors rarely resorted to scavenging credentials from hack forums or drop sites as a primary tactic. When asked, Hughes noted, “I’m not familiar with this being the primary MO by the APTs, who instead are targeting devices, products and vendors with vulnerabilities and misconfigurations, but once inside, they do compromise credentials and use those to pivot, move laterally, persist in environments and more.”

They likely avoid doing this because credentials on forums and sites are often stale, partially compromised, or already under scrutiny by security teams. Relying on them could undermine the sophistication and stealth of their operations.

Malware’s always a hit

While backdoors ensured long-term persistence for these actors, advanced malware delivered quick wins — enabling lateral movement and swift data extractions that left networks reeling. A few standout malware nation-state offenses operated this year included the following.

1. Russian Payloads: APT29 used a range of advanced malware in its campaigns, including the ROOTSAW(or EnvyScout) malware dropper and a new variant named WINELOADER. ROOTSAW delivered obfuscated JavaScript to download encrypted payloads, while WINELOADER employed DLL sideloading for stealth and modular functionalities. These tools demonstrated customization, departing from older loaders like DONUT and DAVESHELL, and introduced unique command-and-control mechanisms. Another Russian nation-state abuser, Forest Blizzard (APT28) was seen deploying a new malware GooseEgg for credential theft.
2. Chinese malware: Chinese actors like Volt Typhoon and Salt Typhoon used a mix of malware for cyberattacks. Volt Typhoon relied on the KV botnet, which hijacks routers in small offices to launch DDoS attacks and steal data. On the other hand, Salt Typhoon used GhostSpider, a stealthy malware that targets telecom networks to exfiltrate sensitive info like call records. Both groups focused on critical infrastructure, showing just how advanced their tactics have become.

With malware evolving at lightning speed in 2024, CISA decided to let the public in on its Malware Next-Gen tool, letting anyone with a login.gov account submit and analyze suspicious files. Since November 2023, nearly 400 users have sent in over 1,600 files, helping spot around 200 malicious ones.

CISA’s Malware Next-Gen tool boosts AI-driven threat hunting and helps businesses defend against known and unknown attacks, she added.

Living off-the-land

These actors weren’t always about flashy, custom malware. Quite often, they used legit tools like PowerShell, rootkits, RDP, and other off-the-shelf system features to sneak in, stay undetected, and set up long-term access. This made their attacks stealthy, persistent, and ready for future moves.

1. Volt Typhoon: In a targeted espionage campaign, the China-backed threat actor used Living off the Land (LOTL) techniques to gain unauthorized access. By leveraging trusted system tools like SSL VPN, the actor was able to carry out remote code execution (RCE) attacks on critical infrastructure, evading detection and maintaining persistence.
2. Iranian use: Iranian cyber-espionage group APT34 (OilRig) has been using PowerShell to execute malicious code during recent attacks in the UAE and Gulf region. By exploiting a Windows privilege escalation flaw, they gained access, exfiltrated credentials, and used tools like ngrok for lateral movement within compromised networks. PowerShell enabled them to run commands and transfer files undetected.

A Dragos study for Q3 2024 highlighted a surge in cyber activity, with threat actors exploiting VPN vulnerabilities and stolen credentials to infiltrate critical systems, primarily relying on living-off-the-land (LOTL) techniques for persistence and evasion.

In addition to these techniques, 2024 saw the use of AI to develop advanced penetration tools and target supply chains for lateral movement into critical systems. Adding on this, Hughes said, “We’ve seen APTs and nation-states continue to target the supply chain, with a massive surge in malicious packages across the open source software (OSS) supply chain, and looking to compromise widely used projects and packages.”