Fantastic APTs and Where to Find Them


Sophisticated computer security breaches in some of the most heavily defended networks around the world have been orchestrated by so-called Advanced Persistent Threats (APT) groups. Many of these APTs operate on behalf of a nation state’s intelligence agency or military. They can even be private sector hacking groups, hired for specific operations. An APT group specialises in gaining access, maintaining it, and executing post-exploitative activities while remaining undiscovered. There are also many types of APT attack campaigns. This can include, but is not limited to, intelligence gathering operations, intellectual property theft, sabotage and data destruction, and exploitation for financial gain.

Intelligence gathering, cyber-espionage

One such APT that exemplifies this type of behaviour is known as the Naikon APT group. In May 2020, Check Point disclosed new evidence of an ongoing cyber-espionage campaign against several national government entities in the Asia Pacific (APAC) region. Since 2015, no new evidence of this group was still in operation has been made publicly available, suggesting Naikon APT had potentially been disbanded as one of the group’s members was exposed. Check Point’s report, however, detailed how Naikon had continued to operate and had increased its emphasis on stealth. The targeted government entities include ministries of foreign affairs, science and technology ministries, as well as government-owned companies. Given the characteristics of the victims and capabilities presented by the group, it is evident that the group’s purpose is to gather intelligence and spy on the countries that it targeted. [1]

Cyber-warfare, targeting ICS and data destruction

The Sandworm Team, the cyber-offensive arm of the Russian GRU, has waged a full-blown cyberwar against Ukraine that have caused blackouts for hundreds of thousands of people. The group is said to exhibit "the most aggressive behavior we see from Russia, and possibly the most aggressive we see, period," according to FireEye's director of intelligence. Sandworm only attacks high-value targets and is responsible for causing the power cuts with its BlackEnergy and Industroyer/CrashOverride malware, as well as causing billions of dollars of damage with the NotPetya ransomware worm. [1, 2]

Some of the greatest threats against industrial control systems (ICS) and supervisory control and data acquisition (SCADA) products include the Stuxnet worm and Triton. Triton is one of a limited number of publicly identified malware families targeting ICS in the energy sector. It followed Stuxnet which was used against Natanz, Iran in 2010 and Industroyer/CrashOverride that was deployed by the Sandworm Team against Ukrenergo, Ukraine in 2016. The Triton malware is particularly noteworthy due to it modifying SIS engineering workstations that, if successful, could cause physical damage and even bring harm to its human operators. [1, 2, 3]

2012 and 2014 saw two separate incidents involving a devastating wiper malware attack, namely Shamoon and NukeSPED. APT groups detonated these on the corporate systems of Saudi Aramco and Sony Pictures. The former was attributed to an Iranian threat group known as 'Swords of Justice' and the latter belonged to the 'Guardians of Peace', later found to be North Korea's Lazarus group. These attacks both caused tens of thousands of devices to be rendered useless due to the contents of the Master Boot Record (MBR) being deleted. [1, 2]

Surveillance, counter-intelligence operations

The Regin malware is a name that many security administrators in governmental agencies around the world dread to hear. Regin has been traced back to as early as 2003. It has been used against telecommunications operators, government institutions, multi-national political bodies, financial institutions, research institutions, and individuals involved in advanced mathematical/cryptographical research. It is highly modular, is capable of man-in-the-middle attacks, and has used multiple browser 0day exploits. It surpasses the Turla malware framework as one of the most sophisticated attack platforms ever revealed publicly. More information on the types of attacks Regin was deployed were revealed in the Snowden leaks. These were covered in Darknet Diaries Ep 48: Operation Socialist. [1, 2]

In October 2019, the NCSC and NSA issued a joint advisory highlighting activity from Turla APT (also known as Waterbug or Venomous Bear). Turla is a Russia-based cyber-espionage APT that targets government, military, technology, energy, and private enterprises for intelligence collection. It has previously targeted Embassies across Europe, but it recently shifted focus to the Middle East. Turla had been scanning for backdoor shells utilised by Iranian APT actors, tracked as APT34 (also known as HelixKitten or OilRig). Once discovered, Turla accessed the Iranian implants and exploited them for its own geopolitical aims, namely deploying its Snake toolkit for information gathering. Turla also accessed and used the command and control (C2) infrastructure of Iranian APTs, namely its Poison Frog C2 panels. [1]

Industrial espionage, intellectual property theft

Since 2006, the cyber arm of China's People's Liberation Army (PLA) Unit 61398 has orchestrated cyberattacks against over 1,000 US companies. Unit 61398 (also known as APT1 or CommentCrew) was first discovered by Mandiant researchers that exposed its industrial espionage campaign, siphoning off invaluable intellectual property. The group tends to compromise the "comment" features in websites. Once exploited, the CommentCrew moves laterally to other internal applications and systems. [1]

In 2019, CrowdStrike disclosed a Chinese threat group, dubbed TurbinePanda, that executed an industrial espionage campaign against world-leading aviation firms. TurbinePanda successfully stole sensitive commercial technology from various aerospace projects between 2010 and 2015. This information was reportedly used for the production of the C919, a Chinese passenger jet belonging to the Commercial Aircraft Corporation (CAC), a state-owned asset. The C919 was produced much faster and at half the cost of its Western competitors, which led authorities to believe this was due to TurbinePanda’s intellectual property theft campaign. [1, 2]

The DarkHotel APT has been one of the most active threat groups in 2020. It was first disclosed in 2014 by Kaspersky but has been active since 2007. DarkHotel appropriately earned its name infecting the WiFi networks (WLANs) of hotels typically used by business executives. This was in effort to compromise their devices such as smartphones and laptops that may potentially contain intellectual property and the individual’s emails or contact lists. It is known for discovering and exploiting previously unknown vulnerabilities (known as 0days) in Google Chrome, Internet Explorer and the Windows Kernel. The NSA’s script (also known as Territorial Dispute or TeDi) tracked DarkHotel as signature number 25 (SIG25). [1]

Political subversion, influence campaigns

One of the most well-documented APT groups that specialises in political subterfuge is FancyBear (also known as APT28, Strontium, or Sofacy). FancyBear’s campaign against the Democratic National Convention (DNC), in the run up to the 2016 Presidential Election, made headline news around the world at the time. The group has been operating since at least 2008 and was revealed by the NSA to be the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS) military unit 26165. [1, 2]

Google’s Threat Analysis Group (TAG) announced that Chinese and Iranian state-sponsored APTs are targeting 2020 Presidential Election campaign staff in information-gathering operations. APT31 (also known as HurricanePanda or Zirconium) is targeting Joe Biden’s campaign staff, whereas APT35 (also known as CharmingKitten) is going after Trump staffers. Google has warned those working on campaigns in this election cycle that their personal accounts may have been targeted by these malicious actors. [1, 2]

Researchers from Graphika exposed a long-running Russian disinformation operation, dubbed Secondary Infektion, that began in 2014 and was still active in early 2020. The operators predominantly targeted Europe and North America, using forged documents to create fraudulent news items in an attempt to influence public opinion. [1, 2]

Financially motivated APTs

Some APTs do not operate on behalf of any government, but instead work together as part of an organised cybercriminal gang with advanced hacking abilities. FIN7 is an international hacking group, which has been around since late 2013. It is believed to have members in Russia, Ukraine and China. The group has infiltrated banks in Russia, and financial organisations in Europe, the US and Japan. According to a report by Kaspersky Lab in December 2015, more than 100 banks and financial institutions have been targeted by the gang, with almost $1 billion being stolen. It has also been linked to the deployment point-of-sale malware primarily against retail and hospitality industries. [1]

Silence APT allegedly consists of two Russian-speaking individuals believed to be former or current security professionals whose aim is to target financial institutions. The first Silence attacks were against the Russian Central Bank's Automated Workstation Client. The group also committed a successful jackpotting attack in October 2017, stealing more than $100,000 in one night. This was followed by a further two jackpotting attacks in February and April 2018, which netted the group around $700,000. In May 2019, three banks - Dutch Bangla Bank Limited, NCC Bank, and Prime Bank – were hacked by Silence, with illegal transactions from ATM machines both inside and outside the country resulting in the $3 million losses. [1, 2]

The US CISA, US Cyber Command, the Department of the Treasury, and the FBI, recently issued a joint advisory concerning a global campaign against financial institutions orchestrated by the North Korean government. The attackers have been dubbed the BeagleBoyz. The group reportedly represents a subdivision of HIDDENCOBRA (a codename for the North Korean government’s Reconnaissance General Bureau). These malicious actors have perpetrated attacks on ATMs, bank-operated SWIFT systems, and lucrative cryptocurrency heists since 2015. It is estimated that over $2 billion has been stolen from upwards of 30 countries by the BeagleBoyz since 2015. Most infamously, the BeagleBoyz stole $81 million from the Bank of Bangladesh in 2016. The Federal Reserve Bank of New York stopped the remainder of this attempted $1 billion theft after detecting anomalies in the transfer instructions they had received. [1]


State-sponsored Advanced Persistent Threats from Russia, China, Iran, North Korea, and the US and UK have executed some of the most devastating and costly cyberattacks in history - namely attacks against ICS and ransomware worms - that have made headlines around the world. 

Even after the likes of WannaCry and NotPetya, public and private sector organisations still fail to implement the basic and necessary fixes. Many still run SMBv1, leave RDP clients exposed to the internet, and use outdated End-of-Life versions of Windows and Microsoft Office. According to CISA research, the most exploited vulnerability of 2016-2019 includes CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. With fundamental issues like these, it is no wonder there are cases where multiple APTs have infiltrated the same network. Some security experts believe the next giant cyberattack could be triggered in the short to medium term.

It is well known that the attribution of APT groups is regarded as the most difficult part of analysis. In general, it should be left to law enforcement and national security agencies. One such malware that tested the attribution skills of the cybersecurity industry’s experts was the Olympic Destroyer. In February 2018, during the opening ceremony of the Winter Olympics in Pyeongchang, a wiper hit the organiser's systems and caused issues for around 12 hours. This incident was notable for it was a very sophisticated false flag operation. Analysis of the malware code by Cisco Talos found that two APT groups were linked to the attack: North Korea’s Lazarus group, and the Chinese-linked APT10. However, Olympic Destroyer also exhibited behaviour that had been seen previously in both NotPetya and BadRabbit, leading many to suspect the very same Sandworm Team. Then, in late February, anonymous US intelligence officials told The Washington Post that the Winter Olympics cyberattack had been carried out by Russia and that it had sought to frame North Korea. Going further to state that the attack was orchestrated specifically by Russia's military intelligence agency, the GRU. [1]

Lastly, in the words of Robert Lee, CEO and co-founder over at Dragos, APT attribution is significantly more difficult than people make it out to be. To get high-confidence level attribution is incredibly difficult. For the NSA, high-confidence level attribution include screenshots or camera feeds of the threat actor executing the attack, along with SIGINT and HUMINT evidence. High-confidence attribution in the private sector is low to moderate grade attribution for the government. When talking about national critical infrastructure and cyberattacks upon it, it is important that when someone points the blame at one nation state adversary as it can be then potentially be used for diplomatic or even military assessments. Further, it is always worth remembering that nation states can have a variety of intelligence or military agencies. These have their own supply chains and private contractors. They have allies and vendors of their own which they can team up with, at any given point, on operations just like FVEY nations do. [1]

Documented collections of publicly known APT activity:

(APT & Cybercriminals Campaign Collection)

(ICIT Brief: Know your enemies 2.0)

(ThaiCERT Threat Actor Encyclopedia)

(ThaiCERT Threat Actor Encyclopedia 2.0)

(APT Groups and Operations spreadsheet)

(APT Index)

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks