Advanced Persistent Threat: Agents of Cyberwarfare

Even the most advanced APT groups use phishing to gain initial access.

APT article map

26 February 2024

Contents 

1. What is Advanced Persistent Threat (APT?) 

2. What are their aims? 

3. Research and Naming 

4. Notable examples of APTs 

5. Are you affected? 

6. Takeaways 

 

What is Advanced Persistent Threat (APT?) 

An advanced persistent threat (APT) is a cyberattack in which an intruder establishes a sustained, undetected presence in a network to achieve malicious aims. As their name suggests, APTs can be defined by the following characteristics:

Advanced

APTs are usually well-funded with highly sophisticated TTPs (Tactics, Techniques and Procedures) that are often, but not always, funded and enabled by nation-state governments or agencies.

Persistent

The attacker maintains long-term undetected access to achieve specific objectives, differentiated from one-off, quick-hit attacks.

Threat

The threat is significant due to the attacker’s capability and persistence.  

 

What are their aims?  

Due to their state-backed nature, many APT groups have specific political aims targeting high-profile entities, rather than being motivated by personal interests. Often, APTs are the agents of so-called ‘cyberwarfare’ by nation-states.  

 For example, APT operations may include: 

  • Conducting cyber espionage to collect intelligence or steal intellectual property 

  • Attacking political dissidents  

  • Destroying critical national infrastructure 

  • Manipulating elections 

Many of these groups trace their origins back to states such as Russia, China, Iran, and North Korea. However, it would be naive to think that only a handful of authoritarian governments use cyber tactics for nefarious aims. Most countries with the resources are playing the cyber game, although there are those that are particularly aggressive (and good).  

Furthermore, the rules of the game are different from traditional diplomacy or war, blurring the boundaries between good and bad, legal and illegal. It is a grey zone in which nation-states employ cyber-mercenaries to operate without accountability under domestic or international law. Such is the norm that APTs will remain key enablers of espionage, disruption, and sabotage operations of numerous nation-state governments. 

 

Research and Naming 

What is the difference between Lazarus Group, ATP38, Diamond Sleet, and Stardust Chollima? There is (close to) none; they refer to the same North Korean state-sponsored hacking group that allegedly hacked Sony and was behind the destructive global WannaCry ransomware attack. 

APTs are stealthy and thus intangible in nature. According to MITRE ATT&CK, it is more accurate to think of them as activity clusters. Security vendors such as Mandiant, CrowdStrike, MITRE, and Microsoft track and identify these clusters by following the trails of crumbs such activities leave.  

Vendors have their own unique naming schemes for APTs they track: 

  • Mandiant uses the simple numbering method, e.g. APT1, APT38.  

  • Microsoft uses weather-based names, such as Typhoon for China, e.g. Volt Typhoon, or Sandstorm for Iran, e.g. Mango Sandstorm 

Beyond the names, vendors provide their own threat intelligence on APTs, many of which overlap with each other, but all have their own unique insights. For example: 

  • Microsoft tracks various threat actors, not necessarily APTs per se. 

  • MITRE ATT&CK has compiled over 140 APTs worldwide, providing a database of information in accordance with the MITRE ATT&CK framework. 

  • Mandiant tracks 37 APTs, providing extensive insights based on rigorous research data with dedicated reports.  

Other than private vendors, government agencies also often have their own identifying scheme for APTs. 

 

Notable examples of APTs 

APT1 / PLA Unit 61398 

APT1 is a unit of China’s military that has been alleged to be source of multiple high-profile cyberespionage campaigns and electronic warfare operations since at least 2006. It has targeted US critical infrastructure, defense companies, the United Nations, and government agencies of several countries. Read the famous Mandiant exposé of APT1 here, which catalyzed the research and subsequent disclosure of many other APT groups. 

 

Stuxnet / Operation Olympic Games 

Stuxnet is the name of a worm deployed by the United States and Israeli intelligence to destroy Iran’s nuclear enrichment program, first uncovered in 2010. The worm resided in Iranian networks for 13 days, then triggered the nuclear centrifuge rotors to spin out of control, destroying the facilities and setting Iran’s nuclear program back by years. Although not cited in vendors’ (many of them American) reports as such, by definition, the operation enabled by Stuxnet would also be considered an APT. 

 

APT28 / Fancy Bear / Tsar Team 

Fancy Bear, also known as APT28, is widely believed to be associated with the Russian government, specifically the Russian military intelligence agency GRU (Main Intelligence Directorate). Operational since the mid-2000s, it has focused on government, military, and security entities, particularly in Transcaucasian and NATO-affiliated regions. It was implicated in cyber assaults on various targets, including the German and Norwegian parliaments, the White House, NATO, Emmanuel Macron's presidential campaign, and more. 

 

Are you affected? 

The average person will be fine living their daily life not knowing about APTs. However, there are still reasons to care.  

APTs usually target government agencies, militaries, the defense sector, critical national infrastructure, manufacturing, health care, and even individuals. Targets are not only foreign but also domestic, especially in authoritarian states, but also in democracies. But it is not just large agencies and high-profile individuals that are affected. 

A 2019 Survey by AppRiver shows that 93 percent of small-and medium-sized business executives believe that as foreign adversaries attempt to conduct cyber operations, they will use their businesses as entry points, especially if they are involved in critical supply chains or serve larger entities. 

The higher-education sector is also one of the most vulnerable sectors to cyberattacks for several reasons: 

  • They are hubs of research and innovation, making them susceptible to espionage and exfiltration of intellectual property 

  • Thousands of students and staff accounts can provide a vast attack surface 

  • They retain shy cyber defenses compared to other industries. 

Thus, higher-ed has increasingly faced attacks from various threat actors, including APTs, hacktivist groups, and more. 

 

Takeaways  

APTs are an interesting place to start to learn about what cyber threat actors are out there. They may not seem like the most adjacent threat to our lives, but it is important to always stay vigilant of cyber threats (i.e., phishing) and practice good cyber hygiene. Even the most advanced APT groups use phishing to gain initial access!  

 

 

 

Feedback on blog and phishing reports to phishing@lse.ac.uk