Advanced Persistent Threat (APT) Groups: What They Are and Where They Are Found
A collection of Flashpoint’s coverage of Advanced Persistent Threat groups and nation-state hackers.
What are Advanced Persistent Threats?
An Advanced Persistent Threat (APT) is a malicious actor who possesses extraordinary skill and resources—enabling them to infiltrate and exfiltrate an organizations’ network. APTs use a variety of techniques, tactics, and tools—such as highly-targeted social engineering attacks, ransomware, vulnerability exploits, and zero-days to accomplish their illicit objectives.
While some threat actors work alone, multiple government authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) have linked attacks to APT groups—with some having ties to specific nation-states who use them to further their country’s interests.
How do Advanced Persistent Threat groups operate?
APT groups, as well as those sponsored by a nation-state, often aim to gain undetected access to a network and then remain silently persistent, establish a backdoor, and/or steal data, as opposed to causing damage. Once inside the target network, APTs leverage malware to achieve their directives, which may include acquiring and exfiltrating data.
Where are APTs located?
Here is a collection of Flashpoint’s coverage of known APT groups and other state-sponsored hacking groups, sorted by country of suspected origin:
Russia: Fancy Bear, GRU, FSB, Conti, and more
Conti Ransomware: The History Behind One of the World’s Most Aggressive RaaS Groups
Led by Russian-based threat actors, the Conti ransomware variant was first observed in or around February 2020, and the collective quickly became one of the most active groups in the ransomware space.
Killnet: Russian DDoS Groups Claims Attack on US Congress Website
The Russian hacktivist DDoS group “Killnet” claimed responsibility for an attack on the US Congress website. At the start of Russia’s invasion of Ukraine, Killnet declared their allegiance to the Russian government, and have since continued to threaten Western countries who support the Ukraine military.
Killnet, Kalingrad, and Lithuania’s Transport Standoff With Russia
Russian cyber collective Killnet took responsibility for DDoS attacks on the Lithuanian government and private institutions. Killnet has declared their allegiance to the Russian government in the Russian-Ukraine war.
Russia Is Cracking Down on Cybercrime. Here Are the Law Enforcement Bodies Leading the Way
Flashpoint found that the domains of multiple Russian-language illicit communities were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation. Threat actors have long theorized that various cybercrime communities and groups have already been taken over by Russian law enforcement.
How Russia Is Isolating Its Own Cybercriminals
Russian cybercriminals have long dominated the threat landscape—aided by the Russian government who usually turns a blind eye to their dealings as long as their attacks target organizations outside of the country.
Russian APT and Ransomware Groups: Vulnerabilities and Threat Actors Who Exploit Them
Far before the Russian-Ukraine war, Ukrainian officials believed that they had already experienced multiple cyberattacks led by Russian APT groups. Although Russia has not officially claimed responsibility, Britain’s cybersecurity agency, the NCSC linked those attacks to Russia’s GRU military intelligence.
Assessing Threats to the Pyeongchang 2018 Winter Olympics
Olympic events have a long history of attracting cyber attacks, and Pyeongchang 2018 is no exception. Weeks leading up to the event, the Russian APT group “Fancy Bear” leaked emails and documents from Olympic-related agencies regarding anti-doping violations in an attempt to inflict reputational damage to participating countries.
China: CISA advisories and ties to the Chinese People’s Liberation Army
Analysis of CISA’s Advisory on Top CVEs Exploited By Chinese State-Sponsored Groups
On October 6, 2022, CISA released a joint advisory detailing the top twenty vulnerabilities being used by known Chinese APT groups and state-sponsored threat actors. Despite being mostly attributed to China, Flashpoint observed it is highly likely that they are being used by threat actors of other regions.
Hackers Are Still Exploiting Log4Shell Vulnerability, Warns CISA
CISA and the United States Coast Guard Cyber Command warned that nation-state hackers were still using the Log4Shell vulnerability to gain access to unpatched, internet-facing VMware Horizon and Unified Access Gateway servers.
China is Exploiting Network Providers and Devices, Says US Cybersecurity Advisory
CISA released an advisory detailing the commonly used CVE vulnerabilities and exploits used by Chinese state-sponsored cyber actors. Many of the CVEs are associated with network devices.
‘Great Cyber Power’ China and Its Influence Across APAC: 2021 Analysis and Timeline
In 2021, the Chinese government reigned in their domestic technology companies, aiming to become a great cyber power. Unsealed indictments describe Chinese nation-state actor activity—linking them to China’s civilian technology sector, using front companies to operate in the open.
China’s Hackers to Showcase Zero-Day Exploits at Tianfu Cup
The Chinese government forbade its country’s security researchers from competing in international hacking competitions, stating that the zero-day exploits of its citizens could “no longer be used strategically.”
Iran: MuddyWater and state-sponsored ransomware
Who’s Behind Iranian Cyber Threat Actor Group MuddyWater?
On January 12, 2022, US Cyber Command attributed the Iranian “MuddyWater” cyber threat group to Iran’s Ministry of Intelligence and Security (MOIS)—one of Iran’s premier intelligence organizations.
A Second Iranian State-Sponsored Ransomware Operation “Project Signal” Emerges
Flashpoint validated leaked documents indicating that Iran’s Islamic Revolutionary Guard Corps (IRGC) was operating a state-sponsored ransomware campaign through an Iranian contracting company.
Suspected Iranian Actors Pushing Domestic Extremists to Target US Politicians and Electoral Security Officials
Evidence perhaps shows that a disturbing online campaign under the slogan “Enemies of the People” was actually an elaborate disinformation effort carried out by hostile Iranian cyber actors.
North Korea: Specialized training and the Guardians Of Peace
Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
South Korea’s Computer Emergency Response Team released a notice regarding an Adobe Flash vulnerability—at least one South Korean security researcher has stated that they observed North Korean threat actors using it to exploit to target South Korean entities.
Threat Actor Groups of the Korean-language Underground
North Korean’s cyber capabilities have been closely overseen by the North Korean government—with Kim Jong II establishing a system of education institutions to provide specialized training in the STEM disciplines.
A Breakdown and Analysis of the December, 2014 Sony Hack
On November 25, a group calling itself GOP or The Guardians Of Peace hacked their way into Sony Pictures, leaving the Sony network crippled for days. After many days, North Korean threat actors were linked to the prolific data breach.
Track threat actor activity with Flashpoint
There are many more APT groups located throughout the world, but understanding their general tactics helps security teams protect their networks. Attackers will use tried-and-trued methods, linking together multiple techniques that can be replicated against most organizations. The Flashpoint Intelligence Platform contains detailed Finished Intelligence reports on many more known APT groups, as well as threat actor chatter. Sign up for a free trial today.