An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. [1] [2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. [3]
Such threat actors' motivations are typically political or economic. [4] Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more. [5] [6] [7] Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software). [8]
APT attacks on mobile devices have also become a legitimate concern, since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop, steal, and tamper with data. [9]
The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. FireEye reported the mean dwell-time for 2018 in the Americas as 71 days, EMEA as 177 days, and APAC as 204 days. [5] Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objectives.
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:
Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006 [13] with Colonel Greg Rattray cited as the individual who coined the term. [14]
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.[ citation needed ] [15]
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks. [16] Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks. [17]
Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest. [18] [19] [20] The United States Cyber Command is tasked with coordinating the US military's offensive and defensive cyber operations. [21]
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of sovereign states. [22] [23] [24] Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including: [25]
A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors. [28]
Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation [29] by following a continuous process or kill chain:
The global landscape of APT's from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method. [30]
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013 [31] that followed similar lifecycle:
In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years. [31] The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks. [33]
Previous reports from Secdev had previously discovered and implicated Chinese actors. [34]
There are tens of millions of malware variations, [35] which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs. [36] Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying cyber threat intelligence to hunt and adversary pursuit activities. [37] [38] Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that are neither well understood nor mitigated, constituting a significant attack vector. [39]
Since Xi Jinping became General Secretary of the Chinese Communist Party in 2012, the Ministry of State Security gained more responsibility over cyberespionage vis-à-vis the People's Liberation Army, and currently oversees various APT groups. [40] According to security researcher Timo Steffens, "the APT landscape in China is run in a 'whole country' approach, leveraging skills from universities, individual, and private and public sectors". [41]
Multiple organizations may assign different names to the same actor. As separate researchers could each have their own varying assessments of an APT group, companies such as CrowdStrike, Kaspersky, Mandiant, and Microsoft, among others, have their own internal naming schemes. [82] Names between different organizations may refer to overlapping but ultimately different groups, based on various data gathered.
CrowdStrike assigns animals by nation-state or other category, such as "Kitten" for Iran and "Spider" for groups focused on cybercrime. [83] Other companies have named groups based on this system — Rampant Kitten, for instance, was named by Check Point rather than CrowdStrike. [84]
Dragos bases its names for APT groups on minerals. [82]
Mandiant assigns numbered acronyms in three categories, APT, FIN, and UNC, resulting in APT names like FIN7. Other companies using a similar system include Proofpoint (TA) and IBM (ITG and Hive). [82]
Microsoft used to assign names from the periodic table, often stylized in all-caps (e.g. POTASSIUM); in April 2023, Microsoft changed its naming schema to use weather-based names (e.g. Volt Typhoon). [85]
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.
Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.
Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.
PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.
Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.
The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.
Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.
Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran. The group has also been called Elfin Team, Refined Kitten, Magnallium, Peach Sandstorm, and Holmium.
Helix Kitten is a hacker group identified by CrowdStrike as Iranian.
Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.
Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.
Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.
Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.
OceanLotus, also known as APT32, BISMUTH, or Canvas Cyclone, is a hacker group associated with the government of Vietnam. It has been accused of cyberespionage targeting political dissidents, government officials, and businesses with ties to Vietnam.
Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.
APT40, also known as BRONZE MOHAWK, FEVERDREAM, G0065, GADOLINIUM, Gingham Typhoon, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper, is an advanced persistent threat located in Haikou, Hainan Province, People's Republic of China (PRC), and has been active since at least 2009.
Gamaredon, also known as Primitive Bear, UNC530, ACTINIUM, or Aqua Blizzard is a Russian advanced persistent threat that has been active since at least 2013.
In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots.