What are Advanced Persistent Threats?
An Advanced Persistent Threat (APT) is a malicious actor who possesses extraordinary skill and resources—enabling them to infiltrate and exfiltrate an organizations’ network. APTs use a variety of techniques, tactics, and tools—such as highly-targeted social engineering attacks, ransomware, vulnerability exploits, and zero-days to accomplish their illicit objectives.
While some threat actors work alone, multiple government authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) have linked attacks to APT groups—with some having ties to specific nation-states who use them to further their country’s interests.
How do Advanced Persistent Threat groups operate?
APT groups, as well as those sponsored by a nation-state, often aim to gain undetected access to a network and then remain silently persistent, establish a backdoor, and/or steal data, as opposed to causing damage. Once inside the target network, APTs leverage malware to achieve their directives, which may include acquiring and exfiltrating data.
Where are APTs located?
Here is a collection of Flashpoint’s coverage of known APT groups and other state-sponsored hacking groups, sorted by country of suspected origin:
Russia: Fancy Bear, GRU, FSB, Conti, and more
Led by Russian-based threat actors, the Conti ransomware variant was first observed in or around February 2020, and the collective quickly became one of the most active groups in the ransomware space.
Killnet has established itself as a high-visibility force within the realm of digital warfare. Known as one of the most active and ambitious pro-Kremlin hacktivist groups, Killnet’s volatility has intensified since the Russia’s invasion of Ukraine.
The Russian hacktivist DDoS group “Killnet” claimed responsibility for an attack on the US Congress website. At the start of Russia’s invasion of Ukraine, Killnet declared their allegiance to the Russian government, and have since continued to threaten Western countries who support the Ukraine military.
Russian cyber collective Killnet took responsibility for DDoS attacks on the Lithuanian government and private institutions. Killnet has declared their allegiance to the Russian government in the Russian-Ukraine war.
Flashpoint found that the domains of multiple Russian-language illicit communities were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation. Threat actors have long theorized that various cybercrime communities and groups have already been taken over by Russian law enforcement.
Russian cybercriminals have long dominated the threat landscape—aided by the Russian government who usually turns a blind eye to their dealings as long as their attacks target organizations outside of the country.
Far before the Russian-Ukraine war, Ukrainian officials believed that they had already experienced multiple cyberattacks led by Russian APT groups. Although Russia has not officially claimed responsibility, Britain’s cybersecurity agency, the NCSC linked those attacks to Russia’s GRU military intelligence.
Olympic events have a long history of attracting cyber attacks, and Pyeongchang 2018 is no exception. Weeks leading up to the event, the Russian APT group “Fancy Bear” leaked emails and documents from Olympic-related agencies regarding anti-doping violations in an attempt to inflict reputational damage to participating countries.
China: CISA advisories and ties to the Chinese People’s Liberation Army
On October 6, 2022, CISA released a joint advisory detailing the top twenty vulnerabilities being used by known Chinese APT groups and state-sponsored threat actors. Despite being mostly attributed to China, Flashpoint observed it is highly likely that they are being used by threat actors of other regions.
CISA and the United States Coast Guard Cyber Command warned that nation-state hackers were still using the Log4Shell vulnerability to gain access to unpatched, internet-facing VMware Horizon and Unified Access Gateway servers.
CISA released an advisory detailing the commonly used CVE vulnerabilities and exploits used by Chinese state-sponsored cyber actors. Many of the CVEs are associated with network devices.
In 2021, the Chinese government reigned in their domestic technology companies, aiming to become a great cyber power. Unsealed indictments describe Chinese nation-state actor activity—linking them to China’s civilian technology sector, using front companies to operate in the open.
The Chinese government forbade its country’s security researchers from competing in international hacking competitions, stating that the zero-day exploits of its citizens could “no longer be used strategically.”
Iran: MuddyWater and state-sponsored ransomware
On January 12, 2022, US Cyber Command attributed the Iranian “MuddyWater” cyber threat group to Iran’s Ministry of Intelligence and Security (MOIS)—one of Iran’s premier intelligence organizations.
Flashpoint validated leaked documents indicating that Iran’s Islamic Revolutionary Guard Corps (IRGC) was operating a state-sponsored ransomware campaign through an Iranian contracting company.
Suspected Iranian Actors Pushing Domestic Extremists to Target US Politicians and Electoral Security Officials
Evidence perhaps shows that a disturbing online campaign under the slogan “Enemies of the People” was actually an elaborate disinformation effort carried out by hostile Iranian cyber actors.
North Korea: Specialized training and the Guardians Of Peace
South Korea’s Computer Emergency Response Team released a notice regarding an Adobe Flash vulnerability—at least one South Korean security researcher has stated that they observed North Korean threat actors using it to exploit to target South Korean entities.
North Korean’s cyber capabilities have been closely overseen by the North Korean government—with Kim Jong II establishing a system of education institutions to provide specialized training in the STEM disciplines.
On November 25, a group calling itself GOP or The Guardians Of Peace hacked their way into Sony Pictures, leaving the Sony network crippled for days. After many days, North Korean threat actors were linked to the prolific data breach.
Track threat actor activity with Flashpoint
There are many more APT groups located throughout the world, but understanding their general tactics helps security teams protect their networks. Attackers will use tried-and-trued methods, linking together multiple techniques that can be replicated against most organizations. The Flashpoint Intelligence Platform contains detailed Finished Intelligence reports on many more known APT groups, as well as threat actor chatter. Sign up for a free trial today.
Within the realm of digital warfare, the threat actor group known as “Killnet” has established itself as a high-visibility force. Emerging as one of the most active and ambitious pro-Kremlin hacktivist collectives, Killnet’s volatility has intensified since the onset of Russia’s invasion of Ukraine over a year ago.
While Killnet demonstrates persistence, it is also notably fickle. The group constantly seeks new avenues for expansion, evolving their tactics, and capturing attention using what they proclaim as their “army of cyber partisans” and the pro-Kremlin media eager to deliver storylines that align with the narrative of the Russian government. Alongside their pursuit of financial gain, Killnet’s notorious alignment with pro-Kremlin ideological motives has fueled their collective drive since the inception of the Russia-Ukraine conflict.
Understanding the inner workings of a prominent group like Killnet becomes vital for organizations aiming to grasp the broader cyber threat landscape. By unraveling the operations of Killnet, organizations can bolster their understanding and fortify their defenses against this evolving menace.