11th March, 2020
APT groups are an enduring threat to every nation-state across the world, their patterns of life and attack behaviour are constantly evolving and closely follow the interests of their state backers.
In this series, we are going to explore what an APT is, what an APT group is and the difference between the two. As well as focusing on a specific APT group and their tactics and TTPs.
WHY DO APT GROUPS EXIST?
APT groups exist due to nation states and criminal groups pushing a doctrine of a stronger economic or political influence within the broad term of global cyber warfare. This doctrine presents to the defending organisations and agencies generally as one of three ways: espionage, sabotage or theft. The targets being privatised critical national infrastructure and services (e.g. power and utilities, communications, smart cities, finance, transport, cloud) this means that the conflict takes place with commercial entities being both targets and collateral damage.
SO WHAT IS AN APT?
Advanced – Operators have a large spectrum of techniques and technologies at their disposal, the individual component attacks of an APT in themselves may not be considered advanced (for example using malware generated from parts of a do-it-yourself kit or bought exploits). However, combining the following factors, makes the threats very advanced.
- ·The behaviour of combining attack vectors and methodologies to attack and compromise targets
- ·The ability to re-write code or develop tools from scratch where pre-made tools may not have the required capability
- ·And an ability in the realm of operational security delineates the APT from ‘less advanced’ threats.
Persistent – Threat actors move more towards the “low and slow” persistent approach of attacks and if a connection to the target is lost, the operator will make attempts to reconnect. This means that it is not an opportunistic ‘hit and run’ tactic, used in less persistent methods and groups
Threat – APTs exhibit a real threat in their capability, potential power and intention. The fact that APT attacks are orchestrated and executed by skilled, motivated, well-funded and organised humans rather than mindless automation makes this an ultimate threat.
So, in summary, an Advanced Persistent Threat (APT) is a prolonged and targeted cyberattack. The key to this form of attack is to remain undetected for a period of time, and utilise elements of the cyber kill chain (seen in fig 1) to enumerate the network, isolate targets of interest, weaponise gathered information and follow the APT lifecycle (Seen in fig 2) to create an attack structure which involves customised elements based on the target of interest and the end goal.
APT groups use this method of attack and in the most part are state sponsored, with each individual group being assigned a designation number as well as in some cases a defining name to differentiate the groups based on their Geo-association and TTPs. State sponsors tend to provide intelligence and funding to accomplish attacks on infrastructure, electrical, social media, electoral and other political targets to destabilise enemies or provide another method of attack to support allies. However, in some cases, APTs can be sponsored by criminal organisations for gaining information and carrying out criminal acts for financial gain (even the bad guys need to keep the lights on!). Whatever the motivation or attacker, they will have a significant impact on an organisation and so the cyber strategy needs to protect against APT.