Introduction to APTs
Cyber threats can fall into several different categories. Some cybercriminals are members of organized crime groups that are taking advantage of the Internet as an alternative to traditional crimes. Others are lone hackers or hacking groups that take on certain targets for their own reasons. However, the most significant threat in the cyber landscape is the advanced persistent threat (APT). Many cybercriminals take a “smash and grab” approach to cybercrime. They break in, steal what they can, and get out. While the time spent inside may be weeks or months, it pales in comparison to what some APTs are willing to do. An APT is a cybercrime group that has demonstrated its ability to be an ongoing threat to organizations, governments, etc. Existing as a significant threat for any period of time requires time, skilled manpower, and money. As a result, many APT groups are sponsored or at least associated with the governments of their countries. They perform attacks for a variety of reasons, everything from espionage to intellectual property theft to sabotage.
While it is known that APT groups are likely to be associated with certain governments or countries, accurate attribution can be extremely difficult. One issue is that the goal of these groups is stealth. Pretending to be someone else can be extremely helpful in covering their tracks. As a result, an attack “known” to belong to a certain group doesn’t necessarily point back to the perpetrators. In some cases, two “distinct” APTs have been found to likely be the same group or related based upon further attacks and analysis. Another problem with attribution is that APT groups are well-funded and they create very effective tools and malware. Once this malware is used in an attack, it is “in the wild” and can be picked up by other cyber threat actors. As a result, being attacked by an APT’s malware doesn’t necessarily mean that an organization is being targeted by the APT itself. Despite these challenges in attribution, the probable attribution of several APTs has been determined. Some of the biggest actors in the space are China, Iran, North Korea, and Russia.
China, by far, has the most APT groups attributed to them of any country on this list. APT1 is linked to the People’s Liberation Army (PLA), and APTs 3, 10, 12, 16, 17, 18, 19, 30, 40, and 41 are all believed to be based on Chinese soil. In general, Chinese hacking groups have been tied to cyber espionage, targeting high tech sectors and governments. Chinese espionage efforts have allowed them to accelerate their research and development, especially in the aerospace industry.
Iran is associated with three APTs: APT33, APT 34, and APT35. APT33 is focused on technical espionage, with a focus on the aerospace and energy industries. APT34 has more wide-reaching interests but is geographically focused within the Middle East. APT35 is known for performing espionage using custom-built malware.
North Korea is also associated with two groups: APT37 and APT38. The first group performs espionage and sabotage operations in a few countries but through many industries. The second group, on the other hand, is primarily concerned with the global financial industry.
Russia is currently associated with four different APTs: APT28, APT29, Venomous Bear, and Voodoo Bear. The operations of APT28 and APT29 have been tied to the Russian government. Venomous Bear targets organizations in multiple verticals, and Voodoo Bear is tied to the attacks against the Ukrainian power sector.
APTs are highly skilled hacking groups that are also likely to be highly targeted. Understanding which APTs are likely to operate in an organization’s industry and geographic location can be useful for understanding the threat that they pose to the organization. Most organizations are not likely to be targeted by an APT; however, they may be attacked by other threat actors using the APT’s tools and impersonating them. When dealing with these second-stage attackers, implementing good cyber hygiene is the best defense. Once APT malware is “in the wild”, it is also likely that a signature will be available to detect and block it for an antivirus, intrusion detection system, and other security solutions.
Led by top industry professionals, the SMU Online Master’s in Cybersecurity offers the practical skills necessary to manage cybersecurity throughout an enterprise. Learn more about how this program will help you best prepare your company to stay on top of the latest cybersecurity trends, and get ready for the future.
The SMU Online Master’s Degree in Cybersecurity offers a clear pathway to building credibility for your cybersecurity talent. To learn practical cybersecurity management skills from top industry professionals in this program, visit our website or contact us. Sources: https://www.fireeye.com/current-threats/apt-groups.html https://securityaffairs.co/wordpress/24923/cyber-crime/ajax-security-team-iran.html https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/
