APT Groups: Facts or Fiction?

26.08.2019 Read
APT Groups: Facts or Fiction?

Advanced Persistent Threat (APT) groups have been prominent in the discussions regarding cyber security. What are they? Should we be worried about them? How can we protect our systems? We sought answers for these questions in this article.

What does APT Mean?

Advanced Persistent Threat or APT refers to the stealthy attacks to a computer network that can go undetected for extended periods causing data breaches and even bigger issues. As a result of such attacks, a person or group penetrates to a network and often times, they view and or change the sensitive data that they are unauthorized to access. APT is usually discussed alongside state sponsorship yet recently various instances of non-state sponsored groups have gained success conducting massive attacks.

How Does APT Operate?

In order to achieve its goal, an APT has to be stealthy and remain undetected over a very long period. The operations must be conducted covertly until the access is obtained, and even after that the intruders need to be ‘invisible’ to the administrators and security measures. Needless to say, being able to operate as an APT group requires a great deal of skill and expertise, as the word ‘advanced’ in the name suggests. Most of the time, APT groups utilize well-written, carefully developed malwares to penetrate through vulnerabilities in a system. Once the intruders are in, they monitor and draw out data from the system persistently.

Who Can Be in an APT Group?

An APT can be a business move or have a political incentive yet an APT group mostly refers to a governmentally backed organization with the ability and aim to target specific entities. It is commonly considered as a discipline of cyber espionage but various techniques can be employed in order to penetrate and obtain data from the target. Such techniques can be deception, supply chain compromise, inflected media files etc. Do APTs Really Exist? Since it sounds like what a conspiracy theorist would fervidly argue, there is a heated debate over whether the APT groups are actual threats or not. The definition above might cover a wide range of organizations and groups under the umbrella of APT group, maybe that is why this threat seems rather trivial to some. In their 2012 dated work, Boldmer, Kilger, Carpenter and Jones set some criteria for an organization to be considered as APT. According to their widely accepted criteria, an APT must have the following: Objective Resources Risk tolerance Skills and methods Attack origination points Knowledge source

What are the Current APT Groups?

Up until 2017, Russia and Chine were the top countries that were mentioned alongside state-sponsored cyber espionage. In fact, they were the only ones that were known to have resources dedicated to cyber-espionage. Yet in 2017, FireEye announced a new APT group from Vietnam (APT32). From then on, new actors from various countries including the North Korea and Iran have emerged on the scene. As of today, there are 10 active APT groups. PLA Unit 61398 (APT1), PLA Unit 61486 (APT2), Red Apollo (APT10), PLA Unit 78020 (APT30), Periscope Group (APT40) are actors from China. Fancy Bear (APT28) and Cozy Bear (APT29) are Russian APT groups whereas Iran has Elfin Team (APT33) and North Korea has Reaper Group (APT37) and Lazarus Group (APT38). These APT groups are known to target not only governments but various other organizations as well.

They work tirelessly to steal intellectual property, involve in economic espionage regarding multinational business operations or investments, tap into communications of foreign executives and government workers that travel to the country. Moreover, members of such groups are known to infiltrate into major corporates of non-allied nations as corporate employees in order to create chaos or deal damage. To conclude, ATP groups pose real and serious menace to both public and private organizations in numerous countries. That is why it is essential for all organizations and states to take necessary precautions in order to protect themselves from hazardous cyber attacks.