The APT Series Part 3: The Future of Advanced Persistent Threat Groups
Rise in sovereign data laws shows how weaponised data has become. Data continues to grow day by day, driven by 5G, the Internet of Things (IoT), Industry 4.0, Smart Cities and network evolutions. This rise in data is resulting in a large emphasis being placed on Edge technologies, cloud storage solutions and big data in the form of data lakes. All of this is in an effort to handle the enormous amounts of data that is being generated every second with an attempt to limit the on premise resources required by organisations across the globe. The World Economic Forum estimate that by 2025, as much as 463 exabytes of data will be created globally, every day.
Our data can contain anything from Personally Identifiable Information (PII) such as names, addresses and social security numbers, to geographical locations in real time, your browsing history or your political interests. This data is invaluable to many people and organisations, from advertising/marketing perspectives to be able to tailor product advertisements to specific genders or age gaps, or to political parties looking to influence the results of a general election, considering the recent release of The Great Hack on Netflix and the impact of Cambridge Analytica directly influencing perspectives of millions of people.
Now consider this from an adversaries perspective, particularly regarding Advanced Persistent Threats (APT) who have their own interests in this data, be it for financial gain, to drive political unrest in a country in order to exploit an uprising or even garner support for a political representative that they may have a particular interest in. In addition to this, the traditional interests for espionage, sabotage and theft are echoed throughout all APTs as a motivating factor.
It is easy to understand why data is often referred to as the new oil and why there is a high importance being placed on defence capabilities and reducing the current skills gap that has been identified globally. Furthermore, there is legislation in place to protect sovereign and commercial interests, as well as organisations and agencies who are actively investing in growing their data and protecting it at all levels.
But how does this impact APT groups moving forward? Where are APT groups heading and will their targets change? Will they merge or become more collaborative in order to overcome new challenges they are likely to face?
Three considerations that could influence the future of APTs include capability, capacity and cost.
Capabilities are increasing significantly in modern times, with more effective and efficient computing technology, hardware and software being brought out almost daily. This improvement in technology enables APTs to improve their existing capabilities as well as seek to exploit new ones. For example, myriad IoT devices and sensors that will become connected in the near future due to Industry 4.0 and the integration of Smart Cities will likely provide endless opportunities for APT groups. This could in turn be exploited for bulk computing for Artificial Intelligence (AI) obfuscation volume attacks as one example.
Although unintentional, devices are inevitably created with flaws or vulnerabilities such as weak passwords which cannot be changed, whilst the mass of devices being produced currently will likely significantly increase the threat landscape. APT groups will almost certainly seek to exploit this.
Additionally, high performance computing is being invested in quite significantly across the globe, with the world’s fastest computer, Summit, located in Oak Ridge County Tennessee, boasts stats such as 2,397,824 processor cores, provided by 22-core IBM Power9 processors clocked at 3.07GHz and Nvidia Volta Tensor Core GPUs, 10 petabytes (PB) of memory (10 million GB) and 250PB of storage.
Whilst the USA currently boasts the fastest supercomputer in the world, this was only a recent accolade after knocking China off of a five year dominance at the top-spot. However, this has spurred China to invest in a multi-billion dollar programme aimed at upgrading their existing capabilities over the next three years to regain the title.
Furthermore, Iran recently released a tweet to state they too are investing in the creation of a globally competitive supercomputer, which could likely be utilised by APT33, ensuring that they are able to keep up with the evolutions of computing and technology.
But as these computers become exponentially faster, it will begin to have a significant impact on current encryption standards resulting in them becoming less effective as the time required to brute force even the most complex encryption is reduced to hours, minutes or even seconds as opposed to centuries. This in turn will result in the requirement for new standards of encryption needing to be introduced.
With super computers such as this currently being utilised within the world and knowing that one of the fastest supercomputers is housed within the home country of a known high profile APT group, one can be sure that the cyber arms race will continue.
As has been mentioned across multiple outlets around the world in the past year, there is a global cyber skills shortage giving rise to estimations of a shortage between 1.8 and 3.5 million positions by 2022. This is sure to be a worry to anybody working within the cyber security industry currently, as it raises concerns of increased workloads and the potential burnout facing professionals within the industry today.
However, whilst the blue team are facing this kind of shortfall is it acceptable to assume that APT groups are also facing the cyber skills gap with their eyes wide open? As previously mentioned, significant amounts of new devices are being introduced through the IoT and Industry 4.0, potentially giving rise to a significant amount of vulnerabilities. But how will APT groups be able to continue to target these if they haven’t got enough people employed to conduct their operations?
Whilst a lot of the procedures can and will be automated moving forward, offensive capabilities still require enough people with a comprehensive knowledge of the systems they are attacking. APT groups are not comprised of the ‘script kiddies’ that we have become familiar with through the likes of Mr. Robot, they contain highly skilled and very capable individuals, or indeed teams, who work with precision towards an end goal.
Whilst the capability offered continues to increase and the attack landscape broadens, is it possible that there will be a saturation point for APT groups? A point at which they do not have the resources and man power to expand their campaigns further across multiple industries and instead begin to focus more concisely on what they know?
In order to address the man power issue, there could be a possibility of an increase in APT group integration and collaboration, such as threat intelligence sharing communities whereby they discuss and even share resources, tools and techniques in order to achieve a higher aim or a larger financial prize. Whilst it is likely that there is an element of this already happening within the shadowy corners of the darkweb, it may be that it becomes more commonplace in future, with APT groups merging and the line between one group and the next becoming much less apparent for the defender.
If we can be sure of anything, it is that APT groups will likely continue to exploit one another’s infrastructure and mimic each other’s Tactics, Techniques and Procedures (TTPs), such as the Russian backed group Turla who compromised and exploited the Iranian backed OilRig group’s infrastructure. This gives a clear indication as to the congested nature of cyberspace as it currently exists and maybe raises concerns about the overall capacity of cyberspace, not just the groups that are exploiting it.
Governments and key industry leaders generating significant amounts of sensitive data will continue to invest in their defensive security capabilities, especially in the consideration of securing Critical National Infrastructure. As these capabilities continue to advance around the world, the challenges in the complexity of the targets for APT groups are likely to increase, which could give rise to several possible scenarios. Two possible scenarios are:
- Scenario one – a shift in focus for APT group targets
- Scenario two – a shift in APT group alignment or who they work with
Scenario one would see APT groups changing their focus from the industry leaders and government targets to more of the low hanging fruit – the organisations that are still industry leaders within their relevant sectors, but those that have not invested heavily in their security and therefore will become more targetable/ vulnerable.
Scenario two would see APT groups align with other APT groups, or even criminal groups, who have similar interests. They would begin to work more collaboratively, sharing resources such as personnel and capabilities, in order to support criminal activities therfore allowing them to conduct larger and more successful attacks. In return, a proportion of the finances generated would go directly in to the APT groups in order to support their ultimate goal.
Given these scenarios, the latter is more likely. APT groups will continue to need personnel and money in order to support their activities and, by working more closely or even in direct collaboration with other APT or criminal groups, it is likely that they would be able to increase their capabilities and their return on investment, therefore making them more efficient and ensuring they continue to plague blue teams in the future.
Whilst these are just a glimpse at two possible scenarios APT groups may be considering, the reality of the challenges that faces them is much broader. As APT groups commonly seek to exploit political unrest for their own agenda, economic sanctions will also have a significant impact on their targets and methodologies, with potential trade sanctions on countries removing possible targets off of the playing field.
Whilst there are many more scenarios to be considered regarding the future of APT groups, the above suggests that it is almost certain they will continue to achieve their intent. How they maintain their persistence will undoubtedly change over the coming years as new security solutions are integrated and we begin to gain an ever more comprehensive understanding of the TTPs of APT groups.
APT groups are already in our networks, our governments and our organisations and they will continue to ensure that they can maintain a presence within these networks moving forward in order to achieve their own aims, be they motivated politically, financially or for intelligence gathering.
And for as long as nation states continue to push their own agendas to achieve their economic or political aims, as well as drive technology forward to enhance their businesses or their own capabilities, APT groups will also do the same.
As cyber security professionals we also need to understand that nation backed APT groups follow national doctrine, as well as National Security Strategies. By understanding these, alongside the geopolitical situations and the incorporation of cyber threat intelligence in to our wider cyber capability, we can begin to get a clearer picture of what the next move will be.
Finally, from a defensive perspective, as cyberspace becomes more congested and the delineation between one APT group and the next becomes ever more blurred, we must continue to understand APT groups, continue to invest in security solutions and continue to increase our understanding of not only the imminent threat landscape, but what the threat landscape will look like in the next 18 – 24 months.