Researchers have identified three distinct nation-state campaigns leveraging advanced highly evasive and adaptive threat (HEAT) tactics.

These campaigns have specifically targeted critical sectors including banking institutions, financial powerhouses, insurance giants, legal firms, government agencies and healthcare providers.

Campaigns Have Compromised High-Value Users

Dubbed LegalQloud, Eqooqp and Boomer, these campaigns have reportedly compromised over 40,000 high-value users within just 90 days, according to the Menlo Security report.

The attackers, believed to be backed or harbored by nation-states, employ sophisticated techniques capable of bypassing multi-factor authentication (MFA) and seizing control of sessions using adversary-in-the-middle (AiTM) toolkits.

LegalQloud leverages domains hosted on Tencent Cloud, which are not typically flagged by traditional URL categorization and block lists.

This tactic allows attackers to exploit trusted infrastructure, making it harder for security measures to identify and block malicious URLs.

Eqooqp uses AiTM techniques, placing a proxy server between the user and the legitimate website to intercept login credentials and session cookies, thus bypassing MFA. One of the campaigns is suspected to have ties to known threat groups such as DEV-1101 or Storm-1101.

Vinay Pidathala, senior director of Menlo Labs, said the findings highlight a concerning trend where state-sponsored entities are refining their attack methodologies and adapting to evade traditional security protocols.

This escalation in sophistication poses significant challenges for cybersecurity professionals tasked with defending against such clandestine and persistent threats.

“As organizations grapple with these developments, understanding the intricacies of these HEAT tactics becomes increasingly imperative for effective defense and mitigation strategies,” he said.

He warned of an increased focus on critical infrastructure, with nation-state actors more aggressively targeting power grids, water systems, transportation networks and healthcare facilities.

“These attacks would aim to disrupt essential services and could create widespread chaos,” Pidathala said. “As more and more organizations move to the cloud, nation-state actors will likely increase efforts to exploit vulnerabilities in cloud platforms and services.”

Meanwhile, APT groups backed by nation-states are likely to continue developing more complex, stealthy and long-term operations to maintain persistent access to high-value targets.

Pidathala added nation-states may escalate their use of ransomware attacks against rival countries or their allies as a means of economic disruption and coercion, turning this criminal tactic into a geopolitical tool.

“As space becomes increasingly important for communication and military operations, we may see more attacks targeting satellite systems and other space-based infrastructure,” he added.

AitM and the Future of Cybercrime

Mika Aalto, co-founder and CEO at Hoxhunt, explained that AiTM attacks are the future of cybercrime.

“They are extremely effective and much harder to trace and prevent compared to traditional social engineering attacks,” he said.

The technical barrier has kept them from being widespread, however, once the bar lowers for criminals, Aalto predicts a wave of serious breaches from AitM-integrated credential harvesters, BECs, and ransomware.

He added security awareness and phishing training must keep pace with the latest threats so people understand AitM and dynamic phishing, and know how to spot these attacks and stay safe.

“These evasive techniques are fundamentally different from traditional static phishing attacks because they will intercept legitimate user traffic and deploy malware and malicious content that adjusts on-the-fly to the user’s context, making it very hard to identify,” he said.

Aalto said despite this evolved tactic, users can stay safe if they understand that they must never let their guard down.

Adopting AI-Driven Analysis

Callie Guenther, senior manager of cyberthreat research at Critical Start, said security teams should adopt behavior-based detection methods, continuous threat hunting, and the use of AI-driven analysis to identify anomalies associated with dynamic phishing sites and encrypted code.

“Deploying advanced threat intelligence platforms and regularly updating detection signatures can help to identify and mitigate such sophisticated attacks,” she added.

With a quarter of phishing links going undetected by legacy URL filtering, Guenther suggested organizations integrate machine learning algorithms in their URL filtering systems to better detect phishing links.

“Additionally, deploying real-time threat intelligence feeds and sandboxing suspicious URLs can enhance the detection and prevention capabilities against evasive phishing attempts,” she said.