Advanced Persistent Threat (APT) Groups: What Are They and Where Are They Found?


What are Advanced Persistent Threats?

An Advanced Persistent Threat (APT) is a malicious actor that possesses extraordinary skills and resources, enabling it to infiltrate and exfiltrate an organization’s network. APTs use a variety of techniques, tactics, and tools, such as highly targeted social engineering attacks, ransomware, vulnerability exploits, and zero-day attacks to achieve their illicit goals.

While some threat actors work alone, several government authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) have linked attacks to APT groups, some with ties to specific nation states that use them to further the interests from their country.

How do advanced persistent threat groups work?

APT groups, as well as those sponsored by a nation-state, often aim to gain undetected access to a network and then remain silent, establish a backdoor and/or steal data, instead of causing harm. . Once inside the target network, APTs exploit malware to carry out their directives, which may include data acquisition and exfiltration.

Where are the APTs located?

Here is a collection of Flashpoint coverage of known APT groups and other state-sponsored hacking groups, sorted by suspected country of origin:

Russia: Fancy Bear, GRU, FSB, Conti, etc.

Conti Ransomware: The Story of One of the World’s Most Aggressive RaaS Groups

Led by Russian-based threat actors, the Conti ransomware variant was first observed in or around February 2020, and the collective has quickly become one of the most active groups in the space. ransomware.

Learn more >>

Killnet: Russian DDoS groups claim attack on US Congress website

The Russian DDoS hacktivist group “Killnet” has claimed responsibility for an attack on the US Congress website. At the start of Russia’s invasion of Ukraine, Killnet declared its allegiance to the Russian government and has since continued to threaten Western countries that support the Ukrainian military.

Learn more >>

Killnet, Kalingrad and the transport stalemate between Lithuania and Russia

Russian cyber collective Killnet claimed responsibility for the DDoS attacks against the Lithuanian government and private institutions. Killnet declared its allegiance to the Russian government in the Russo-Ukrainian War.

Learn more >>

Russia is cracking down on cybercrime. Here are the law enforcement agencies leading the way

Flashpoint discovered that the domains of several illicit Russian-speaking communities had been seized by Department K, a division of the Ministry of Interior of the Russian Federation. Threat actors have long speculated that various cybercriminal communities and groups have already been supported by Russian law enforcement.

Learn more >>

How Russia is isolating its own cybercriminals

Russian cybercriminals have long dominated the threat landscape, aided by the Russian government which generally turns a blind eye to their dealings as long as their attacks target organizations outside the country.

Learn more >>

Russian APT and ransomware groups: vulnerabilities and threat actors exploiting them

Long before the Russian-Ukrainian war, Ukrainian officials believed they had already suffered multiple cyberattacks carried out by Russian APT groups. Although Russia has not officially claimed responsibility, Britain’s cybersecurity agency, the NCSC, has linked the attacks to Russian military intelligence from the GRU.

Learn more >>

Threat Assessment for the Pyeongchang 2018 Winter Olympics

Olympic events have long attracted cyberattacks, and Pyeongchang 2018 is no exception. A few weeks before the event, the Russian APT group “Fancy Bear” leaked emails and documents from Olympics-related agencies regarding anti-doping violations in an attempt to inflict reputational damage on participating countries.

Learn more >>

China: CISA Notice and Links to the Chinese People’s Liberation Army

On October 6, 2022, CISA released a joint advisory detailing the top twenty vulnerabilities used by known Chinese APT groups and state-sponsored threat actors. Although primarily attributed to China, Flashpoint observed that they are very likely to be used by threat actors from other regions.

Learn more >>

Hackers Still Exploiting Log4Shell Vulnerability, CISA Warns

CISA and the United States Coast Guard Cyber ​​Command have warned that nation-state hackers are still using the Log4Shell vulnerability to gain access to unpatched, internet-facing VMware Horizon and Unified Access Gateway servers.

Learn more >>

China exploits network providers and devices, says US Cybersecurity Advisory

CISA has released an advisory detailing common CVE vulnerabilities and exploits used by Chinese state-sponsored cyber actors. Many CVEs are associated with network devices.

Learn more >>

China’s “great cyberpower” and its influence in the APAC region: analysis and timeline for 2021

In 2021, the Chinese government ruled over its domestic tech companies, aiming to become a major cyber power. Unsealed indictments describe the activity of Chinese nation-state actors, linking them to China’s civilian tech sector, using front companies to operate in the open.

Learn more >>

Chinese Hackers to Showcase Zero-Day Exploits at Tianfu Cup

The Chinese government has banned its country’s security researchers from participating in international hacking competitions, saying its citizens’ zero-day exploits can “no longer be used strategically.”

Learn more >>

Iran: MuddyWater and state-sponsored ransomware

Who is behind Iranian cyber threat actor group MuddyWater?

On January 12, 2022, the US Cyber ​​Command assigned the Iranian cyber threat group “MuddyWater” to Iran’s Ministry of Intelligence and Security (MOIS), one of Iran’s top intelligence organizations.

Learn more >>

Second Iranian state-sponsored ransomware operation ‘Project Signal’ emerges

Flashpoint validated leaked documents indicating that Iran’s Islamic Revolutionary Guard Corps (IRGC) was carrying out a state-sponsored ransomware campaign through an Iranian contractor company.

Learn more >>

Suspected Iranian actors push domestic extremists to target US politicians and election security officials

Evidence may show that a disturbing online campaign under the slogan “enemies of the people” was in fact an elaborate disinformation effort carried out by hostile Iranian cyber actors.

Learn more >>

North Korea: Specialized Training and Peacekeepers

Targeted attacks against South Korean entities may have taken place as early as November 2017

South Korea’s Computer Emergency Response Team has issued an advisory regarding an Adobe Flash vulnerability – at least one South Korean security researcher said he observed North Korean threat actors the use to target South Korean entities.

Learn more >>

Korean-Language Subway Threat Actor Groups

North Korea’s cyber capabilities have been closely monitored by the North Korean government, with Kim Jong II establishing a system of educational institutions to provide specialized training in STEM disciplines.

Learn more >>

A breakdown and analysis of the December 2014 Sony hack

On November 25, a group calling itself GOP or The Guardians Of Peace hacked into Sony Pictures, leaving Sony’s network crippled for days. After several days, North Korean threat actors have been linked to the prolific data breach.

Learn more >>

Track malicious actor activity with Flashpoint

There are many other APT groups around the world, but understanding their general tactics helps security teams protect their networks. Attackers will use proven methods, linking several techniques that can be replicated against most organizations. The Flashpoint Intelligence platform contains detailed Finished Intelligence reports on many other known APT groups, as well as threat actor chatter. Sign up for a free trial today.

Source link


About Author

Comments are closed.