Advanced Persistent Threats (APTs)

APT is a sophisticated, long-term malicious attack that seems to play the long game by spying on the target infrastructure for months or years before successfully breaking through the network.

Recently, there has been an increase in advanced persistent threats aimed at exploiting the fragile infrastructure. APT is a sophisticated, long-term malicious attack that seems to play the long game by spying on the target infrastructure for months or years before successfully breaking through the network. Every single threat team had to submit at least one report on advanced persistent threats in the past year.

APT attacks are carefully planned, designed to infiltrate a particular organization, bypass existing security measures, and fly under the radar. It is a combined attack that uses multiple stages and different attack techniques. Running an APT attack requires a combination of advanced knowledge of the organization’s infrastructure, security policies and procedures, and the use of sophisticated tactics. They are not spontaneously conceived and implemented attacks, but attackers plan and attack strategies against specific targets and execute the attack over a longer period. Although the frequency of these types of attacks is low compared to automated or commercialized threats, which are more comprehensive in their objectives, they represent a much more serious threat.

Advanced Persistent Threat Life Cycle (Wikipedia)

Initial intrusion performed by using social engineering and spear-phishing using zero-day viruses or planting malware on a website that the victim would be likely to visit. Outbound connection initiated is to plant remote administration software in a victim’s network, create net backdoors and tunnels allowing stealth access to its infrastructure. Expand access and obtain credentials is escalating privileges. That is to use exploits to acquire administrator privileges over the victim’s computer and possibly expand it to domain administrator accounts. Strengthen foothold is expanding control to other workstations, servers, and infrastructure elements and perform data harvesting on them. After exfiltrate data, all tracks are covered to maintain access for future initiatives.

APT groups are typically threat actors who receive guidance and support from the nation-states for targets that traditionally include data theft, intelligence, disruption, and destruction. APT attacks target governments that handle high-quality information or intelligence including sensitive information such as military operations, security files, advanced military technology documents, etc. These groups are different than other cybercriminals that they tend to adapt to defenses and can maintain their presence in a system for months or even years.

Some APT groups are listed as below (Wikipedia);

China

· PLA Unit 61398 (also known as APT1)

· PLA Unit 61486 (also known as APT2)

· Buckeye (also known as APT3)

· Red Apollo (also known as APT10)

· Codoso Team (also known as APT19)

· Wocao (also known as APT20)

· PLA Unit 78020 (also known as APT30 and Naikon)

· Periscope Group (also known as APT40)

· Double Dragon (also known as APT41)

Iran

· Elfin Team (also known as APT33)

· Helix Kitten (also known as APT34)

· Charming Kitten (also known as APT35)

· APT39

North Korea

· Ricochet Chollima (also known as APT37)

· Lazarus Group (also known as APT38)

Russia

· Fancy Bear (also known as APT28)

· Cozy Bear (also known as APT29)

· Voodoo Bear

· Venomous Bear

United States

· Equation Group

Uzbekistan

· SandCat

Vietnam

· OceanLotus (also known as APT32)

Cybersecurity experts often focus on detecting anomalies in outgoing data to see if a network is the target of an APT attack, but once a foothold is established, the threat actor can use that access to conduct further reconnaissance and exploit the malware. It is installed to create network backdoors and tunnels that they can use to move unnoticed. This strategy is used to infiltrate malicious software into the targets to gain access. Once they have access, these threat actors can access the network infrastructure such as network traffic, network resources, and network services, as well as access data. Once there, they use a variety of tactics, including stealing valuable information from the internal intelligence service, receiving ransoms, and shutting down enemy power grids.

One possible twist could be to publish the data it has stolen from the victim instead of making the files irretrievable. APTs can use this to cover their tracks, but mixing in a false flag, under which security researchers are hungry for small clues, maybe enough to redirect authorship to someone else and rewrite the code.

Photo by Markus Spiske on Unsplash

In an age when data breaches and ransomware attacks make up the bulk of cyber coverage in the mainstream media, advanced, persistent threats often fall under the radar. These threats arise in all forms and can cause significant damage to businesses and infrastructure.

Advanced persistent threat (APT) groups are widely classified as organizations conducting cyber espionage and cyber sabotage. Over time, determined threat actors have expanded their toolbox to other areas such as network hardware. Large corporations are also a major target of certain APT groups, and it is absolutely critical to catching APT operations before they can exceed the scope.

A coordinated cyberattack in January 2010, dubbed “Operation Aurora” by security experts, targeted at least 34 companies, including Google and Adobe. The hackers used sophisticated strategies and creep programming to infiltrate corporate networks and hide their presence as they searched the systems for stolen information. These groups span the globe and include groups funded largely by rogue groups or government-backed groups that have made a huge dent in the cybersecurity world.

These threats come in the form of cyber-attacks, cyber espionage, ransomware, phishing, and other forms of malware, as well as advanced persistent threats.

Coronavirus (COVID-19) has become a global pandemic, there is evidence that attackers exploit collective fear to increase the likelihood of a successful attack. In late January, a state-sponsored Advanced Persistent Threat (APT) group used coronavirus for phishing attacks to gain a foothold on victims’ computers. As the virus spread worldwide, the attack increased, and China was one of the first targets of the APT groups, just before the spread of coronavirus itself.

We continue to anticipate the activities of these APT groups and understand what methods they use, which gives us a better understanding of the impact they have.

Cited Sources

• https://www.cpomagazine.com/tech/why-you-should-be-prepared-to-fight-against-advanced-persistent-threats/
• https://www.mitre.org/publications/project-stories/cybersecurity-defending-against-advanced-persistent-threats
• http://www.techsmart.co.za/news/Kaspersky-unveils-Advanced-Persistent-Threats-on-the-horizon-for-2020
• https://www.varonis.com/blog/apt-groups/
• https://www.businessghana.com/site/news/technology/200889/Advanced-Persistent-Threats-in-2020
• https://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT
• https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/
• https://www.wikiwand.com/en/Advanced_persistent_threat#