Revision as of 09:11, 8 April 2024 editOnel5969 (talk | contribs)Autopatrolled, Extended confirmed users, Page movers, New page reviewers, Pending changes reviewers, Rollbackers935,666 editsm Disambiguating links to Kill chain (link changed to Kill chain (military); link changed to Kill chain (military)) using DisamAssist.← Previous edit | Latest revision as of 06:17, 22 December 2024 edit undoSjö (talk | contribs)Extended confirmed users, New page reviewers, Pending changes reviewers, Rollbackers58,660 edits Undid revision 1261943985 by 2601:406:4000:A95:5B1B:6BEF:F2FD:5EF7 (talk) Removing unsourced contentTag: Undo | ||
(24 intermediate revisions by 11 users not shown) | |||
Line 1: | Line 1: | ||
{{short description|Set of stealthy and continuous computer hacking processes}} | {{short description|Set of stealthy and continuous computer hacking processes}} | ||
{{use dmy dates |date=April 2021}} | {{use dmy dates |date=April 2021}} | ||
An '''advanced persistent threat''' ('''APT''') is a stealthy ], typically a ] or state-sponsored group, which gains unauthorized access to a ] and remains undetected for an extended period.<ref>{{Cite web|url=https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats|title=What Is an Advanced Persistent Threat (APT)?|website=www.kaspersky.com|access-date=2019-08-11}}</ref><ref>{{Cite web|url=https://www.cisco.com/c/en/us/products/security/advanced-persistent-threat.html|title=What Is an Advanced Persistent Threat (APT)?|website=Cisco|language=en|access-date=2019-08-11}}</ref> In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.<ref name=":0">{{Cite news|url=https://www.cybereason.com/blog/advanced-persistent-threat-apt|title=What is an Advanced Persistent Threat (APT)?|last=Maloney|first=Sarah|access-date=2018-11-09|language=en}}</ref> | An '''advanced persistent threat''' ('''APT''') is a stealthy ], typically a ] or state-sponsored group, which gains unauthorized access to a ] and remains undetected for an extended period.<ref>{{Cite web|url=https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats|title=What Is an Advanced Persistent Threat (APT)?|website=www.kaspersky.com|access-date=2019-08-11|archive-date=22 March 2021|archive-url=https://web.archive.org/web/20210322014919/https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats|url-status=live}}</ref><ref>{{Cite web|url=https://www.cisco.com/c/en/us/products/security/advanced-persistent-threat.html|title=What Is an Advanced Persistent Threat (APT)?|website=Cisco|language=en|access-date=2019-08-11|archive-date=22 March 2021|archive-url=https://web.archive.org/web/20210322014938/https://www.cisco.com/c/en/us/products/security/advanced-persistent-threat.html|url-status=live}}</ref> In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.<ref name=":0">{{Cite news|url=https://www.cybereason.com/blog/advanced-persistent-threat-apt|title=What is an Advanced Persistent Threat (APT)?|last=Maloney|first=Sarah|access-date=2018-11-09|language=en|archive-date=7 April 2019|archive-url=https://web.archive.org/web/20190407232257/https://www.cybereason.com/blog/advanced-persistent-threat-apt|url-status=live}}</ref> | ||
Such threat actors' motivations are typically political or economic.<ref>{{Cite book|last=Cole.|first=Eric|title=Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization|date=2013|publisher=Syngress|oclc=939843912}}</ref> Every major ] has recorded instances of ]s by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, ], ], ], ], ], ] and many more.<ref name=":2">{{Cite web|url=https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html|title=M-Trends Cyber Security Trends|website=FireEye|language=en|access-date=2019-08-11}}</ref><ref>{{Cite web|url=https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf|title=Cyber Threats to the Financial Services and Insurance Industries|website=FireEye|archive-url=https://web.archive.org/web/20190811091624/https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf|archive-date=11 August 2019}}</ref><ref>{{Cite web|url=https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/ib-retail-consumer.pdf|title=Cyber Threats to the Retail and Consumer Goods Industry|website=FireEye|archive-url=https://web.archive.org/web/20190811091947/https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/ib-retail-consumer.pdf|archive-date=11 August 2019}}</ref> Some groups utilize traditional ] vectors, including ], ] and ] to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom ].<ref>{{Cite web|url=https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf|title=Advanced Persistent Threats: A Symantec Perspective|website=Symantec|archive-url=https://web.archive.org/web/20180508161501/https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf|archive-date=8 May 2018}}</ref> | Such threat actors' motivations are typically political or economic.<ref>{{Cite book|last=Cole.|first=Eric|title=Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization|date=2013|publisher=Syngress|oclc=939843912}}</ref> Every major ] has recorded instances of ]s by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, ], ], ], ], ], ] and many more.<ref name=":2">{{Cite web|url=https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html|title=M-Trends Cyber Security Trends|website=FireEye|language=en|access-date=2019-08-11|archive-date=21 September 2021|archive-url=https://web.archive.org/web/20210921133050/https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html|url-status=live}}</ref><ref>{{Cite web|url=https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf|title=Cyber Threats to the Financial Services and Insurance Industries|website=FireEye|archive-url=https://web.archive.org/web/20190811091624/https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf|archive-date=11 August 2019}}</ref><ref>{{Cite web|url=https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/ib-retail-consumer.pdf|title=Cyber Threats to the Retail and Consumer Goods Industry|website=FireEye|archive-url=https://web.archive.org/web/20190811091947/https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/ib-retail-consumer.pdf|archive-date=11 August 2019}}</ref> Some groups utilize traditional ] vectors, including ], ] and ] to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom ].<ref>{{Cite web|url=https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf|title=Advanced Persistent Threats: A Symantec Perspective|website=Symantec|archive-url=https://web.archive.org/web/20180508161501/https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf|archive-date=8 May 2018}}</ref> | ||
APT attacks on ] have also become a legitimate concern, since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop, steal, and tamper with data.<ref>{{Cite journal |last=Au |first=Man Ho |date=2018 |title=Privacy-preserving personal data operation on mobile cloud—Chances and challenges over advanced persistent threat |journal=Future Generation Computer Systems |volume=79 |pages=337–349|doi=10.1016/j.future.2017.06.021 }}</ref> | APT attacks on ]s have also become a legitimate concern, since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop, steal, and tamper with data.<ref>{{Cite journal |last=Au |first=Man Ho |date=2018 |title=Privacy-preserving personal data operation on mobile cloud—Chances and challenges over advanced persistent threat |journal=Future Generation Computer Systems |volume=79 |pages=337–349|doi=10.1016/j.future.2017.06.021 }}</ref> | ||
The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. ] reported the mean dwell-time for 2018 in the ] as 71 days, ] as 177 days, and ] as 204 days.<ref name=":2" /> Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objectives. |
The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. ] reported the mean dwell-time for 2018 in the ] as 71 days, ] as 177 days, and ] as 204 days.<ref name=":2" /> Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objectives. | ||
==Definition== | ==Definition== | ||
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below: | Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below: | ||
*''Advanced'' – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced" (e.g. ] components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.<ref name=":0" /><ref name=":1">{{Cite web|url=https://www.itgovernance.co.uk/advanced-persistent-threats-apt|title=Advanced Persistent Threats (APTs)|website=IT Governance}}</ref><ref>{{Cite web|url=https://www.trendmicro.co.uk/media/misc/apt-survey-report-en.pdf|title=Advanced persistent Threat Awareness|website=TrendMicro Inc}}</ref> | *''Advanced'' – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced" (e.g. ] components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.<ref name=":0" /><ref name=":1">{{Cite web|url=https://www.itgovernance.co.uk/advanced-persistent-threats-apt|title=Advanced Persistent Threats (APTs)|website=IT Governance|access-date=11 August 2019|archive-date=11 August 2019|archive-url=https://web.archive.org/web/20190811090856/https://www.itgovernance.co.uk/advanced-persistent-threats-apt|url-status=live}}</ref><ref>{{Cite web|url=https://www.trendmicro.co.uk/media/misc/apt-survey-report-en.pdf|title=Advanced persistent Threat Awareness|website=TrendMicro Inc|access-date=11 August 2019|archive-date=10 June 2016|archive-url=https://web.archive.org/web/20160610083125/http://www.trendmicro.co.uk/media/misc/apt-survey-report-en.pdf|url-status=live}}</ref> | ||
*''Persistent'' – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.<ref name=":1" /><ref>{{Cite web|url=https://blog.malwarebytes.com/101/2016/07/explained-advanced-persistent-threat-apt/|title=Explained: Advanced Persistent Threat (APT)|date=2016-07-26|website=Malwarebytes Labs|language=en-US|access-date=2019-08-11}}</ref> | *''Persistent'' – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.<ref name=":1" /><ref>{{Cite web|url=https://blog.malwarebytes.com/101/2016/07/explained-advanced-persistent-threat-apt/|title=Explained: Advanced Persistent Threat (APT)|date=2016-07-26|website=Malwarebytes Labs|language=en-US|access-date=2019-08-11|archive-date=9 May 2019|archive-url=https://web.archive.org/web/20190509114627/https://blog.malwarebytes.com/101/2016/07/explained-advanced-persistent-threat-apt/|url-status=live}}</ref> | ||
*''Threat'' – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.<ref name=":0" /><ref name=":1" /> | *''Threat'' – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.<ref name=":0" /><ref name=":1" /> | ||
Line 19: | Line 19: | ||
Warnings against targeted, socially-engineered emails dropping ] to exfiltrate sensitive information were published by UK and US ] organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the ] in 2006<ref>{{cite web|title=Assessing Outbound Traffic to Uncover Advanced Persistent Threat|url=https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf |archive-url=https://web.archive.org/web/20130626233122/https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf |archive-date=2013-06-26 |publisher=SANS Technology Institute|access-date=2013-04-14}}</ref> with Colonel Greg Rattray cited as the individual who coined the term.<ref>{{cite web|title=Introducing Forrester's Cyber Threat Intelligence Research|url=http://blogs.forrester.com/rick_holland/13-02-14-introducing_forresters_cyber_threat_intelligence_research|publisher=Forrester Research|access-date=2014-04-14|archive-url=https://web.archive.org/web/20140415054512/http://blogs.forrester.com/rick_holland/13-02-14-introducing_forresters_cyber_threat_intelligence_research|archive-date=2014-04-15}}</ref> | Warnings against targeted, socially-engineered emails dropping ] to exfiltrate sensitive information were published by UK and US ] organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the ] in 2006<ref>{{cite web|title=Assessing Outbound Traffic to Uncover Advanced Persistent Threat|url=https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf |archive-url=https://web.archive.org/web/20130626233122/https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf |archive-date=2013-06-26 |publisher=SANS Technology Institute|access-date=2013-04-14}}</ref> with Colonel Greg Rattray cited as the individual who coined the term.<ref>{{cite web|title=Introducing Forrester's Cyber Threat Intelligence Research|url=http://blogs.forrester.com/rick_holland/13-02-14-introducing_forresters_cyber_threat_intelligence_research|publisher=Forrester Research|access-date=2014-04-14|archive-url=https://web.archive.org/web/20140415054512/http://blogs.forrester.com/rick_holland/13-02-14-introducing_forresters_cyber_threat_intelligence_research|archive-date=2014-04-15}}</ref> | ||
The ] ], which targeted the computer hardware of ], is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.{{citation needed|date=October 2019}}<ref>{{Cite journal|last=Beim|first=Jared|date=2018|title=Enforcing a Prohibition on International Espionage|url=https://www.proquest.com/docview/2012381493|journal=Chicago Journal of International Law|volume=18|pages=647–672|id={{ProQuest|2012381493}}|url-access=subscription}}</ref> | The ] ], which targeted the computer hardware of ], is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.{{citation needed|date=October 2019}}<ref>{{Cite journal|last=Beim|first=Jared|date=2018|title=Enforcing a Prohibition on International Espionage|url=https://www.proquest.com/docview/2012381493|journal=Chicago Journal of International Law|volume=18|pages=647–672|id={{ProQuest|2012381493}}|url-access=subscription|access-date=18 January 2023|archive-date=22 May 2021|archive-url=https://web.archive.org/web/20210522173236/https://www.proquest.com/docview/2012381493|url-status=live}}</ref> | ||
Within the ] community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks.<ref>{{cite web|title=Advanced Persistent Threats: Learn the ABCs of APTs - Part A|url=https://www.secureworks.com/blog/advanced-persistent-threats-apt-a|website=SecureWorks|access-date=23 January 2017}}</ref> Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. ] reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.<ref>{{cite web |last=Olavsrud |first=Thor |title=Targeted Attacks Increased, Became More Diverse in 2011 |date=April 30, 2012 |url=https://www.cio.com/article/2396583/targeted-attacks-increased--became-more-diverse-in-2011.html |work=] |access-date=14 April 2021 |archive-date=14 April 2021 |archive-url=https://web.archive.org/web/20210414115711/https://www.cio.com/article/2396583/targeted-attacks-increased--became-more-diverse-in-2011.html |url-status=dead }}</ref> | Within the ] community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks.<ref>{{cite web|title=Advanced Persistent Threats: Learn the ABCs of APTs - Part A|url=https://www.secureworks.com/blog/advanced-persistent-threats-apt-a|website=SecureWorks|access-date=23 January 2017|archive-date=7 April 2019|archive-url=https://web.archive.org/web/20190407232258/https://www.secureworks.com/blog/advanced-persistent-threats-apt-a|url-status=live}}</ref> Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. ] reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.<ref>{{cite web |last=Olavsrud |first=Thor |title=Targeted Attacks Increased, Became More Diverse in 2011 |date=April 30, 2012 |url=https://www.cio.com/article/2396583/targeted-attacks-increased--became-more-diverse-in-2011.html |work=] |access-date=14 April 2021 |archive-date=14 April 2021 |archive-url=https://web.archive.org/web/20210414115711/https://www.cio.com/article/2396583/targeted-attacks-increased--became-more-diverse-in-2011.html |url-status=dead }}</ref> | ||
Actors in many countries have used ] as a means to gather intelligence on individuals and groups of individuals of interest.<ref>{{cite web|title=An Evolving Crisis|url=http://www.businessweek.com/magazine/content/08_16/b4080032220668.htm|publisher=BusinessWeek|date=April 10, 2008|access-date=2010-01-20| archive-url= https://web.archive.org/web/20100110120647/http://www.businessweek.com/magazine/content/08_16/b4080032220668.htm| archive-date= 10 January 2010 }}</ref><ref>{{cite web|title=The New E-spionage Threat |url=http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm |publisher=BusinessWeek |date=April 10, 2008 |access-date=2011-03-19 |archive-url=https://web.archive.org/web/20110418080952/http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm |archive-date=18 April 2011 }}</ref><ref>{{cite web|title=Google Under Attack: The High Cost of Doing Business in China |url=https://www.spiegel.de/international/world/google-under-attack-the-high-cost-of-doing-business-in-china-a-672742.html |first1=Marcel |last1=Rosenbach |first2=Thomas |last2=Schulz |first3=Wieland |last3=Wagner |work=Der Spiegel |date=2010-01-19 |access-date=2010-01-20 |archive-url=https://web.archive.org/web/20100121005238/http://www.spiegel.de/international/world/0%2C1518%2C672742%2C00.html |archive-date=21 January 2010 |url-status=live }}</ref> The ] is tasked with coordinating the US military's offensive and defensive ] operations.<ref>{{Cite web|title=Commander Discusses a Decade of DOD Cyber Power|url=https://www.defense.gov/Explore/News/Article/Article/2193130/commander-discusses-a-decade-of-dod-cyber-power/|access-date=2020-08-28|website=U.S. DEPARTMENT OF DEFENSE|language=en-US}}</ref> | Actors in many countries have used ] as a means to gather intelligence on individuals and groups of individuals of interest.<ref>{{cite web|title=An Evolving Crisis|url=http://www.businessweek.com/magazine/content/08_16/b4080032220668.htm|publisher=BusinessWeek|date=April 10, 2008|access-date=2010-01-20| archive-url= https://web.archive.org/web/20100110120647/http://www.businessweek.com/magazine/content/08_16/b4080032220668.htm| archive-date= 10 January 2010 }}</ref><ref>{{cite web|title=The New E-spionage Threat |url=http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm |publisher=BusinessWeek |date=April 10, 2008 |access-date=2011-03-19 |archive-url=https://web.archive.org/web/20110418080952/http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm |archive-date=18 April 2011 }}</ref><ref>{{cite web|title=Google Under Attack: The High Cost of Doing Business in China |url=https://www.spiegel.de/international/world/google-under-attack-the-high-cost-of-doing-business-in-china-a-672742.html |first1=Marcel |last1=Rosenbach |first2=Thomas |last2=Schulz |first3=Wieland |last3=Wagner |work=Der Spiegel |date=2010-01-19 |access-date=2010-01-20 |archive-url=https://web.archive.org/web/20100121005238/http://www.spiegel.de/international/world/0%2C1518%2C672742%2C00.html |archive-date=21 January 2010 |url-status=live }}</ref> The ] is tasked with coordinating the US military's offensive and defensive ] operations.<ref>{{Cite web|title=Commander Discusses a Decade of DOD Cyber Power|url=https://www.defense.gov/Explore/News/Article/Article/2193130/commander-discusses-a-decade-of-dod-cyber-power/|access-date=2020-08-28|website=U.S. DEPARTMENT OF DEFENSE|language=en-US|archive-date=19 September 2020|archive-url=https://web.archive.org/web/20200919001557/https://www.defense.gov/Explore/News/Article/Article/2193130/commander-discusses-a-decade-of-dod-cyber-power/|url-status=live}}</ref> | ||
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of ]s.<ref>{{cite news|title=Under Cyberthreat: Defense Contractors |newspaper=Bloomberg.com |url=https://www.bloomberg.com/news/articles/2009-07-06/under-cyberthreat-defense-contractorsbusinessweek-business-news-stock-market-and-financial-advice |publisher=BusinessWeek |date=July 6, 2009 |access-date=2010-01-20 |archive-url=https://web.archive.org/web/20100111174243/http://www.businessweek.com/technology/content/jul2009/tc2009076_873512.htm |archive-date=11 January 2010 |url-status=live }}</ref><ref>{{cite web|title=Understanding the Advanced Persistent Threat|url=http://tominfosec.blogspot.com/2010/02/understanding-apt.html|publisher=Tom Parker|date=February 4, 2010|access-date=2010-02-04}}</ref><ref>{{cite web|title=Advanced Persistent Threat (or Informationized Force Operations)|url=https://www.usenix.org/legacy/event/lisa09/tech/slides/daly.pdf|publisher=Usenix, Michael K. Daly|date=November 4, 2009|access-date=2009-11-04}}</ref> | Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of ]s.<ref>{{cite news|title=Under Cyberthreat: Defense Contractors |newspaper=Bloomberg.com |url=https://www.bloomberg.com/news/articles/2009-07-06/under-cyberthreat-defense-contractorsbusinessweek-business-news-stock-market-and-financial-advice |publisher=BusinessWeek |date=July 6, 2009 |access-date=2010-01-20 |archive-url=https://web.archive.org/web/20100111174243/http://www.businessweek.com/technology/content/jul2009/tc2009076_873512.htm |archive-date=11 January 2010 |url-status=live }}</ref><ref>{{cite web|title=Understanding the Advanced Persistent Threat|url=http://tominfosec.blogspot.com/2010/02/understanding-apt.html|publisher=Tom Parker|date=February 4, 2010|access-date=2010-02-04|archive-date=18 February 2010|archive-url=https://web.archive.org/web/20100218143530/http://tominfosec.blogspot.com/2010/02/understanding-apt.html|url-status=live}}</ref><ref>{{cite web|title=Advanced Persistent Threat (or Informationized Force Operations)|url=https://www.usenix.org/legacy/event/lisa09/tech/slides/daly.pdf|publisher=Usenix, Michael K. Daly|date=November 4, 2009|access-date=2009-11-04|archive-date=11 May 2021|archive-url=https://web.archive.org/web/20210511075023/https://www.usenix.org/legacy/event/lisa09/tech/slides/daly.pdf|url-status=live}}</ref> | ||
Businesses holding a large quantity of ] are at high risk of being targeted by advanced persistent threats, including:<ref name="Dell SecureWorks">{{cite web|url=https://www.secureworks.com/resources/sb-advanced-threat-protection-with-dell-secureworks|title=Anatomy of an Advanced Persistent Threat (APT)|publisher=Dell SecureWorks|access-date=2012-05-21|archive-date=5 March 2016|archive-url=https://web.archive.org/web/20160305025719/https://www.secureworks.com/resources/sb-advanced-threat-protection-with-dell-secureworks}}</ref> | Businesses holding a large quantity of ] are at high risk of being targeted by advanced persistent threats, including:<ref name="Dell SecureWorks">{{cite web|url=https://www.secureworks.com/resources/sb-advanced-threat-protection-with-dell-secureworks|title=Anatomy of an Advanced Persistent Threat (APT)|publisher=Dell SecureWorks|access-date=2012-05-21|archive-date=5 March 2016|archive-url=https://web.archive.org/web/20160305025719/https://www.secureworks.com/resources/sb-advanced-threat-protection-with-dell-secureworks}}</ref> | ||
*Agriculture<ref name = "Cybersecurity: Current Writings on Threats and Protection_2019">{{cite book |title=Cybersecurity: Current Writings on Threats and Protection |url=https://books.google.com/books?id=FyuFDwAAQBAJ&pg=PA69 |publisher=McFarland |first1=Joaquin Jay III |last1=Gonzalez |first2=Roger L. |last2=Kemp |isbn=978-1-4766-7440-7 |page=69 |date=2019-01-16 }}</ref> | *Agriculture<ref name = "Cybersecurity: Current Writings on Threats and Protection_2019">{{cite book |title=Cybersecurity: Current Writings on Threats and Protection |url=https://books.google.com/books?id=FyuFDwAAQBAJ&pg=PA69 |publisher=McFarland |first1=Joaquin Jay III |last1=Gonzalez |first2=Roger L. |last2=Kemp |isbn=978-1-4766-7440-7 |page=69 |date=2019-01-16 }}</ref> | ||
*Energy | *Energy | ||
*] | *]s | ||
*Health care | *Health care | ||
*Higher education<ref>{{cite web|last1=Ingerman|first1=Bret |first2=Catherine |last2=Yang |title=Top-Ten IT Issues, 2011|url=https://er.educause.edu/articles/2011/5/topten-it-issues-2011 |date=May 31, 2011 |publisher=Educause Review}}</ref> | *Higher education<ref>{{cite web |last1=Ingerman |first1=Bret |first2=Catherine |last2=Yang |title=Top-Ten IT Issues, 2011 |url=https://er.educause.edu/articles/2011/5/topten-it-issues-2011 |date=May 31, 2011 |publisher=Educause Review |access-date=14 April 2021 |archive-date=14 April 2021 |archive-url=https://web.archive.org/web/20210414115711/https://er.educause.edu/articles/2011/5/topten-it-issues-2011 |url-status=live }}</ref> | ||
*Manufacturing | *Manufacturing | ||
*Technology | *Technology | ||
*Telecommunications | *Telecommunications | ||
*] | *]ation | ||
A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.<ref>{{Cite web|url=http://publications.gc.ca/collections/collection_2016/rddc-drdc/D68-3-007-2013-eng.pdf |first1=Dave |last1=McMahon |first2=Rafal |last2=Rohozinski |title=The Dark Space Project: Defence R&D Canada – Centre for Security Science Contractor Report DRDC CSS CR 2013-007 |website=publications.gc.ca |access-date=2021-04-01 |archive-date=2016-11-05 |archive-url=https://web.archive.org/web/20161105035412/http://publications.gc.ca/collections/collection_2016/rddc-drdc/D68-3-007-2013-eng.pdf |url-status=live }}</ref> | A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.<ref>{{Cite web|url=http://publications.gc.ca/collections/collection_2016/rddc-drdc/D68-3-007-2013-eng.pdf |first1=Dave |last1=McMahon |first2=Rafal |last2=Rohozinski |title=The Dark Space Project: Defence R&D Canada – Centre for Security Science Contractor Report DRDC CSS CR 2013-007 |website=publications.gc.ca |access-date=2021-04-01 |archive-date=2016-11-05 |archive-url=https://web.archive.org/web/20161105035412/http://publications.gc.ca/collections/collection_2016/rddc-drdc/D68-3-007-2013-eng.pdf |url-status=live }}</ref> | ||
Line 48: | Line 48: | ||
# Deploy additional tools that help fulfill the attack objective | # Deploy additional tools that help fulfill the attack objective | ||
# Cover tracks to maintain access for future initiatives | # Cover tracks to maintain access for future initiatives | ||
The global landscape of APT's from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method.<ref name="EMAGCOMSECURITY">{{cite web | url=https://emagcomsecurity.wordpress.com/2015/04/09/apt-advanced-persistent-threat-group// | title=APT (Advanced Persistent Threat) Group | date=9 April 2015 |access-date=15 January 2019 | author= EMAGCOMSECURITY}}</ref> | |||
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013<ref name="mandiant">{{cite web |url=http://intelreport.mandiant.com/ |title=APT1: Exposing One of China's Cyber Espionage Units |year=2013 |publisher=Mandiant |access-date=19 February 2013 |archive-date=2 February 2015 |archive-url=https://web.archive.org/web/20150202015751/http://intelreport.mandiant.com/ }}</ref> that followed similar lifecycle: | In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013<ref name="mandiant">{{cite web |url=http://intelreport.mandiant.com/ |title=APT1: Exposing One of China's Cyber Espionage Units |year=2013 |publisher=Mandiant |access-date=19 February 2013 |archive-date=2 February 2015 |archive-url=https://web.archive.org/web/20150202015751/http://intelreport.mandiant.com/ }}</ref> that followed similar lifecycle: | ||
* '''Initial compromise'''{{snd}}performed by use of ] and ], over email, using ]es. Another popular infection method was planting ] on a website that the victim's employees will be likely to visit.<ref>{{Cite web |date=2021-06-08 |title=What are MITRE ATT&CK initial access techniques |url=https://blog.gitguardian.com/inital-access-techniques/ |access-date=2023-10-13 |website=GitGuardian - Automated Secrets Detection |language=en}}</ref> | * '''Initial compromise'''{{snd}}performed by use of ] and ], over email, using ]es. Another popular infection method was planting ] on a website that the victim's employees will be likely to visit.<ref>{{Cite web |date=2021-06-08 |title=What are MITRE ATT&CK initial access techniques |url=https://blog.gitguardian.com/inital-access-techniques/ |access-date=2023-10-13 |website=GitGuardian - Automated Secrets Detection |language=en |archive-date=29 November 2023 |archive-url=https://web.archive.org/web/20231129204105/https://blog.gitguardian.com/inital-access-techniques/ |url-status=live }}</ref> | ||
* '''Establish foothold'''{{snd}}plant ] in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure. | * '''Establish foothold'''{{snd}}plant ] in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure. | ||
* '''Escalate privileges'''{{snd}}use ] and ] to acquire administrator privileges over victim's computer and possibly expand it to ] administrator accounts. | * '''Escalate privileges'''{{snd}}use ] and ] to acquire administrator privileges over victim's computer and possibly expand it to ] administrator accounts. | ||
Line 60: | Line 58: | ||
* '''Complete mission'''{{snd}}exfiltrate stolen data from victim's network. | * '''Complete mission'''{{snd}}exfiltrate stolen data from victim's network. | ||
In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years.<ref name="mandiant" /> The infiltrations were allegedly performed by Shanghai-based ] of ]. Chinese officials have denied any involvement in these attacks.<ref>{{cite web|url=https://www.reuters.com/article/us-china-hacking-idUSBRE91I06120130220 |first=Ben |last=Blanchard |date=2013-02-19 |title=China says U.S. hacking accusations lack technical proof |publisher=Reuters}}</ref> | In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years.<ref name="mandiant" /> The infiltrations were allegedly performed by Shanghai-based ] of ]. Chinese officials have denied any involvement in these attacks.<ref>{{cite web |url=https://www.reuters.com/article/us-china-hacking-idUSBRE91I06120130220 |first=Ben |last=Blanchard |date=2013-02-19 |title=China says U.S. hacking accusations lack technical proof |publisher=Reuters |access-date=14 April 2021 |archive-date=14 April 2021 |archive-url=https://web.archive.org/web/20210414115709/https://www.reuters.com/article/us-china-hacking-idUSBRE91I06120130220 |url-status=live }}</ref> | ||
Previous reports from Secdev had previously discovered and implicated Chinese actors.<ref name=TGN_1>{{cite web |
Previous reports from Secdev had previously discovered and implicated Chinese actors.<ref name=TGN_1>{{cite web| title=Tracking GhostNet: investigating a cyber espionage network| author1=Deibert, R.| author2=Rohozinski, R.| author3=Manchanda, A.| author4=Villeneuve, N.| author5=Walton, G| url=https://ora.ox.ac.uk/objects/uuid:6d1260fd-b8ee-4a11-8a5f-e7708d543651| publisher=The Munk Centre for International Studies, ]| date=28 March 2009| access-date=27 December 2023| archive-date=27 December 2023| archive-url=https://web.archive.org/web/20231227155852/https://ora.ox.ac.uk/objects/uuid:6d1260fd-b8ee-4a11-8a5f-e7708d543651| url-status=live}}</ref> | ||
== Mitigation strategies == | == Mitigation strategies == | ||
There are tens of millions of malware variations,<ref name = "GSEC GIAC Security Essentials Certification All_2013"> |
There are tens of millions of malware variations,<ref name = "GSEC GIAC Security Essentials Certification All_2013">{{ cite book | title = GSEC GIAC Security Essentials Certification All |url=https://books.google.com/books?id=zUdZAQAAQBAJ&pg=PR25 | publisher = McGraw Hill Professional, 2013 | author = RicMessier | isbn = 978-0-07-182091-2 | page = xxv | language = en | date = 2013-10-30 }}</ref> which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the ] network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs.<ref>{{Cite web|title=Anatomy of an APT (Advanced Persistent Threat) Attack|url=https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html|access-date=2020-11-14|website=FireEye|language=en|archive-date=7 November 2020|archive-url=https://web.archive.org/web/20201107220618/https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html|url-status=live}}</ref> Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying ] to hunt and adversary pursuit activities.<ref>{{Cite web|date=2015-02-18|title=Threat Intelligence in an Active Cyber Defense (Part 1)|url=https://www.recordedfuture.com/active-cyber-defense-part-1/|access-date=2021-03-10|website=Recorded Future|language=en-US|archive-date=20 June 2021|archive-url=https://web.archive.org/web/20210620155903/https://www.recordedfuture.com/active-cyber-defense-part-1/|url-status=live}}</ref><ref>{{Cite web|date=2015-02-24|title=Threat Intelligence in an Active Cyber Defense (Part 2)|url=https://www.recordedfuture.com/active-cyber-defense-part-2/|access-date=2021-03-10|website=Recorded Future|language=en-US|archive-date=27 February 2021|archive-url=https://web.archive.org/web/20210227120734/https://www.recordedfuture.com/active-cyber-defense-part-2/|url-status=live}}</ref> Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that are neither well understood nor mitigated, constituting a significant attack vector.<ref>{{Cite web|title=A Context-Centred Research Approach to Phishing and Operational Technology in Industrial Control Systems {{!}} Journal of Information Warfare|url=https://www.jinfowar.com/journal/volume-18-issue-4/context-centred-research-approach-phishing-operational-technology-industrial-control-systems|access-date=2021-07-31|website=www.jinfowar.com|archive-date=31 July 2021|archive-url=https://web.archive.org/web/20210731235144/https://www.jinfowar.com/journal/volume-18-issue-4/context-centred-research-approach-phishing-operational-technology-industrial-control-systems|url-status=live}}</ref> | ||
== APT groups == | == APT groups == | ||
=== China === | === China === | ||
{{See also|Cyberwarfare by China|Chinese information operations and information warfare|Chinese intelligence activity abroad}} | |||
{{further|Chinese intelligence activity abroad|Chinese espionage in the United States|Cyberwarfare by China}} | |||
Since ] became ] of the ] in 2012, the ] gained more responsibility over ] vis-à-vis the ], and currently oversees various APT groups.<ref>{{Cite news|last1=Mozur|first1=Paul|last2=Buckley|first2=Chris|date=2021-08-26|title=Spies for Hire: China's New Breed of Hackers Blends Espionage and Entrepreneurship|language=en-US|work=]|url=https://www.nytimes.com/2021/08/26/technology/china-hackers.html|access-date=2021-08-27|issn=0362-4331}}</ref> According to security researcher Timo Steffens, "the APT landscape in China is run in a 'whole country' approach, leveraging skills from universities, individual, and private and public sectors".<ref>{{cite web |last1=Stone |first1=Jeff |title=Foreign spies use front companies to disguise their hacking, borrowing an old camouflage tactic |url=https://www.cyberscoop.com/chinese-iranian-hackers-front-companies/ |date=October 5, 2020 |website=cyberscoop.com |publisher=Cyberscoop |access-date=11 October 2020}}</ref> | |||
⚫ | * ] (also known as APT3)<ref name="Symantec2019">{{cite web|url=https:// |
||
⚫ | * ] (also known as APT19) | ||
⚫ | * ]<ref name="fireeye2019">{{cite web |url=https://content.fireeye.com/apt-41/rpt-apt41/ |title=Double Dragon APT41, a dual espionage and cyber crime operation |work=] |date=2019-10-16 |access-date=2020-04-14 |archive-date= |
||
⚫ | * ] |
||
⚫ | * ]<ref name=techtarget-lightbasin>{{Cite web |url=https://www.techtarget.com/searchsecurity/news/252508413/LightBasin-hackers-spent-5-years-hiding-on-telco-networks |title='LightBasin' hackers spent 5 years hiding on telco networks |date=2021-10-20 |access-date=2022-04-08 |website=] |last=Nichols |first=Shaun}}</ref><ref name=bleeping-computer-lightbasin>{{Cite web |url=https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/ |title=LightBasin hacking group breaches 13 global telecoms in two years |date=2021-10-19 |access-date=2022-04-08 |website=] |last=Ilascu |first=Ionut}}</ref> (Also known as UNC1945) | ||
⚫ | * |
||
⚫ | * ] (also known as APT40) | ||
* ] (also known as APT1) | * ] (also known as APT1) | ||
* ] (also known as APT2) | * ] (also known as APT2) | ||
⚫ | * ] (also known as APT3)<ref name="Symantec2019">{{cite web|url=https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit|date=2019-05-07|title=Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak|publisher=]|url-status=live|archive-url=https://archive.today/20190507054409/https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit|archive-date=2019-05-07|access-date=2019-07-23}}</ref> | ||
⚫ | * ] (also known as APT30 and ]) | ||
* ] (also known as APT10) | * ] (also known as APT10) | ||
⚫ | *] (also known as APT12) | ||
⚫ | * APT 27<ref>{{cite web |last1=Lyngaas |first1=Sean |title=Chinese hackers posed as Iranians to breach Israeli targets, FireEye says |url=https://www.cyberscoop.com/china-israel-iran-fireeye-hacking/ |website=www.cyberscoop.com |date=10 August 2021 |access-date=15 August 2021}}</ref> | ||
* |
*DeputyDog (also known as APT17)<ref>{{cite news |url=https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf |title=APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic |work=] |date=May 2015 |access-date=January 21, 2024 |archive-date=November 24, 2023 |archive-url=https://web.archive.org/web/20231124143647/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf |url-status=live }}</ref> | ||
*Dynamite Panda or Scandium (also known as APT18, a unit of the ])<ref name=":32">{{Cite web |date=August 16, 2023 |title=China-Based Threat Actors |url=https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf |url-status=live |archive-url=https://web.archive.org/web/20231229092112/https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf |archive-date=29 December 2023 |access-date=29 April 2024 |website=] Office of Information Security}}</ref> | |||
* Dragonbridge<ref>{{Cite news |last=Sabin |first=Sam |date=October 26, 2022 |title=New pro-China disinformation campaign targets 2022 elections: Report |work=] |url=https://www.axios.com/2022/10/26/disinformation-campaign-midterms-china-dragonbridge-mandiant |access-date=October 27, 2022}}</ref> | |||
⚫ | * ] (also known as APT19) | ||
* Tropic Trooper<ref>{{cite web |last1=Chen |first1=Joey |title=Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments |url=https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/ |website=blog.trendmicro.com |date=12 May 2020 |publisher=Trend Micro |access-date=16 May 2020}}</ref><ref>{{cite web |last1=Cimpanu |first1=Catalin |title=Hackers target the air-gapped networks of the Taiwanese and Philippine military |url=https://www.zdnet.com/article/hackers-target-the-air-gapped-networks-of-the-taiwanese-and-philippine-military/ |website=] |access-date=16 May 2020}}</ref> | |||
⚫ | * Wocao (also known as APT20)<ref name="fox-it2019">{{cite web |url=https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf |title=Wocao APT20 |work=fox-it.com |date=2019-12-19 |first1=Maarten |last1=van Dantzig |first2=Erik |last2=Schamper |publisher=] |access-date=23 December 2019 |archive-date=22 March 2021 |archive-url=https://web.archive.org/web/20210322014904/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf }}</ref><ref>{{cite web |last1=Vijayan |first1=Jai |title=China-Based Cyber Espionage Group Targeting Orgs in 10 Countries |url=https://www.darkreading.com/attacks-breaches/china-based-cyber-espionage-group-targeting-orgs-in-10-countries/d/d-id/1336676 |date=December 19, 2019 |website=www.darkreading.com |publisher=Dark Reading |access-date=12 January 2020 |archive-date=May 7, 2021 |archive-url=https://web.archive.org/web/20210507025313/https://www.darkreading.com/attacks-breaches/china-based-cyber-espionage-group-targeting-orgs-in-10-countries/d/d-id/1336676 |url-status=live }}</ref> | ||
⚫ | * Volt Typhoon<ref>{{Cite web |last=Intelligence |first=Microsoft Threat |date=2023-05-24 |title=Volt Typhoon targets US critical infrastructure with living-off-the-land techniques |url=https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ |access-date=2023-05-26 |website=Microsoft Security Blog |language=en-US}}</ref> | ||
* APT22 (aka Suckfly)<ref>{{Cite web |last=Barth |first=Bradley |date=2016-03-16 |title='Suckfly' in the ointment: Chinese APT group steals code-signing certificates |url=https://www.scworld.com/brief/suckfly-in-the-ointment-chinese-apt-group-steals-code-signing-certificates |access-date=2024-09-24 |website=SC Media |language=en |archive-date=September 24, 2024 |archive-url=https://web.archive.org/web/20240924130146/https://www.scworld.com/brief/suckfly-in-the-ointment-chinese-apt-group-steals-code-signing-certificates |url-status=live }}</ref> | |||
⚫ | * Wocao (also known as APT20)<ref name="fox-it2019">{{cite web |url=https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf |title=Wocao APT20 |work=fox-it.com |date=2019-12-19 |first1=Maarten |last1=van Dantzig |first2=Erik |last2=Schamper |publisher=] |access-date=23 December 2019 |archive-date=22 March 2021 |archive-url=https://web.archive.org/web/20210322014904/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf }}</ref><ref>{{cite web |last1=Vijayan |first1=Jai |title=China-Based Cyber Espionage Group Targeting Orgs in 10 Countries |url=https://www.darkreading.com/attacks-breaches/china-based-cyber-espionage-group-targeting-orgs-in-10-countries/d/d-id/1336676 |date=December 19, 2019 |website=www.darkreading.com |publisher=Dark Reading |access-date=12 January 2020}}</ref> | ||
* APT26 (aka Turbine Panda)<ref>{{Cite web |title=Building China's Comac C919 airplane involved a lot of hacking, report says |url=https://www.zdnet.com/article/building-chinas-comac-c919-airplane-involved-a-lot-of-hacking-report-says/ |access-date=2024-09-24 |website=ZDNET |language=en |archive-date=November 15, 2019 |archive-url=https://web.archive.org/web/20191115164639/https://www.zdnet.com/article/building-chinas-comac-c919-airplane-involved-a-lot-of-hacking-report-says/ |url-status=live }}</ref> | |||
* Zirconium or Hurricane Panda<ref>{{cite web |last1=Lyngaas |first1=Sean |title=Right country, wrong group? Researchers say it wasn't APT10 that hacked Norwegian software firm |url=https://www.cyberscoop.com/apt10-apt31-recorded-future-rapid7-china/ |date=February 12, 2019 |website=www.cyberscoop.com |publisher=Cyberscoop |access-date=16 October 2020}}</ref><ref>{{Cite web |last=Hui |first=Sylvia |date=2024-03-25 |title=US and UK announce sanctions over China-linked hacks on election watchdog and lawmakers |url=https://apnews.com/article/uk-china-cyberattacks-parliament-election-770e7b00454b63ad424000feecddd0c1 |access-date=2024-03-25 |website=] |language=en}}</ref> (also known as APT31, affiliated with the ])<ref>{{Cite web |date=2024-03-19 |title=Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure |url=https://home.treasury.gov/news/press-releases/jy2205 |access-date=2024-03-25 |website=] |language=en}}</ref><ref>{{cite web |last1=Lyngaas |first1=Sean |title=Google offers details on Chinese hacking group that targeted Biden campaign |url=https://www.cyberscoop.com/biden-chinese-hacking-google-security-russia/ |date=October 16, 2020 |website=Cyberscoop |access-date=16 October 2020}}</ref> in ]. APT31 was responsible for the "] operation against the ] and the ]’s China Maritime Studies Institute".<ref name="blp1">{{cite news |last=Gatlan |first=Sergiu |date=2024-03-25 |url=https://www.bleepingcomputer.com/news/security/us-sanctions-apt31-hackers-behind-critical-infrastructure-attacks/ |title=US sanctions APT31 hackers behind critical infrastructure attacks |work=Bleeping Computer}}</ref> Seven affiliated persons were sanctioned on 25 March 2024 by the US,<ref name="doj1">{{cite news |url=https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived |title=Office of Public Affairs | Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians | United States Department of Justice |date=25 March 2024 }}</ref> some for their hack of US energy firms.<ref name="et1">{{cite news |url=https://economictimes.indiatimes.com/news/international/business/us-sanctions-chinese-cyberespionage-firm-saying-it-hacked-us-energy-industry/articleshow/108770386.cms?from=mdr | title=US sanctions Chinese cyberespionage firm, saying it hacked US energy industry | newspaper=The Economic Times | date=25 March 2024 }}</ref> In the same week APT31 was held responsible for hacking the Finnish Parliament,<ref>{{cite news |last=Gatlan |first=Sergiu |date=2024-03-26 |title=inland confirms APT31 hackers behind 2021 parliament breach |url=https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/ |work=Bleeping Computer}}</ref> and the UK Parliament.<ref name="pol1">{{cite news |last1=McDonald |first1=Andrew |last2=Lau |first2=Stuart |url=https://www.politico.eu/article/uk-accuses-china-of-cyberattacks-on-british-democracy/ |title=UK accuses China of cyberattacks on British democracy |date=25 March 2024 |work=] }}</ref><ref name="apn1">{{cite news |last1=Hui |first1=Sylvia |last2=Tucker |first2=Eric |url=https://apnews.com/article/uk-china-cyberattacks-parliament-election-770e7b00454b63ad424000feecddd0c1 |title=US and UK go after Chinese hackers accused of state-backed operation against politicians, dissidents |date=25 March 2024 |work=] }}</ref> | |||
⚫ | * APT 27<ref>{{cite web |last1=Lyngaas |first1=Sean |title=Chinese hackers posed as Iranians to breach Israeli targets, FireEye says |url=https://www.cyberscoop.com/china-israel-iran-fireeye-hacking/ |website=www.cyberscoop.com |date=10 August 2021 |access-date=15 August 2021 |archive-date=November 29, 2023 |archive-url=https://web.archive.org/web/20231129204248/https://cyberscoop.com/china-israel-iran-fireeye-hacking/ |url-status=live }}</ref> | ||
⚫ | * ] (also known as APT30 and ]) | ||
* Zirconium<ref>{{cite web |last1=Lyngaas |first1=Sean |title=Right country, wrong group? Researchers say it wasn't APT10 that hacked Norwegian software firm |url=https://www.cyberscoop.com/apt10-apt31-recorded-future-rapid7-china/ |date=February 12, 2019 |website=www.cyberscoop.com |publisher=Cyberscoop |access-date=16 October 2020 |archive-date=May 7, 2021 |archive-url=https://web.archive.org/web/20210507025345/https://www.cyberscoop.com/apt10-apt31-recorded-future-rapid7-china/ |url-status=live }}</ref> (also known as APT31 and Violet Typhoon)<ref>{{cite web |last1=Lyngaas |first1=Sean |title=Google offers details on Chinese hacking group that targeted Biden campaign |url=https://www.cyberscoop.com/biden-chinese-hacking-google-security-russia/ |date=October 16, 2020 |website=Cyberscoop |access-date=16 October 2020 |archive-date=May 7, 2021 |archive-url=https://web.archive.org/web/20210507025313/https://www.cyberscoop.com/biden-chinese-hacking-google-security-russia/ |url-status=live }}</ref><ref name="ms-threat-actors-24">{{cite web |title=How Microsoft names threat actors |date=January 16, 2024 |url=https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming |publisher=Microsoft |access-date=21 January 2024 |archive-date=July 10, 2024 |archive-url=https://web.archive.org/web/20240710235817/https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming |url-status=live }}</ref><ref>{{Cite web |date=2024-03-19 |title=Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure |url=https://home.treasury.gov/news/press-releases/jy2205 |access-date=2024-03-25 |website=] |language=en |archive-date=March 25, 2024 |archive-url=https://web.archive.org/web/20240325174521/https://home.treasury.gov/news/press-releases/jy2205 |url-status=live }}</ref> | |||
⚫ | * ] (also known as APT40) | ||
⚫ | * ]<ref name="fireeye2019">{{cite web |url=https://content.fireeye.com/apt-41/rpt-apt41/ |title=Double Dragon APT41, a dual espionage and cyber crime operation |work=] |date=2019-10-16 |access-date=2020-04-14 |archive-date=May 7, 2021 |archive-url=https://web.archive.org/web/20210507025313/https://content.fireeye.com/apt-41/rpt-apt41/ |url-status=dead }}</ref> (also known as APT41, Winnti Group, Barium, or Axiom)<ref>{{cite web |date=May 17, 2020 |title=Bureau names ransomware culprits |url=https://www.taipeitimes.com/News/taiwan/archives/2020/05/17/2003736564 |url-status=live |archive-url=https://web.archive.org/web/20210322015319/https://www.taipeitimes.com/News/taiwan/archives/2020/05/17/2003736564 |archive-date=March 22, 2021 |access-date=22 May 2020 |website=] |publisher=}}</ref><ref name=":52">{{Cite magazine |last=Greenberg |first=Andy |author-link=Andy Greenberg |date=August 6, 2020 |title=Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry |url=https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/ |url-status=live |archive-url=https://web.archive.org/web/20210322015355/https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/ |archive-date=March 22, 2021 |access-date=2024-07-14 |magazine=] |language=en-US |issn=1059-1028}}</ref> | ||
* ] (also known as Dragonbridge or Storm 1376)<ref>{{Cite news |last=Sabin |first=Sam |date=October 26, 2022 |title=New pro-China disinformation campaign targets 2022 elections: Report |work=] |url=https://www.axios.com/2022/10/26/disinformation-campaign-midterms-china-dragonbridge-mandiant |access-date=October 27, 2022 |archive-date=October 26, 2022 |archive-url=https://web.archive.org/web/20221026182732/https://www.axios.com/2022/10/26/disinformation-campaign-midterms-china-dragonbridge-mandiant |url-status=live }}</ref><ref>{{Cite news |last=Milmo |first=Dan |date=2024-04-05 |title=China will use AI to disrupt elections in the US, South Korea and India, Microsoft warns |url=https://www.theguardian.com/technology/2024/apr/05/china-using-ai-disrupt-elections |access-date=2024-04-07 |work=] |language=en-GB |issn=0261-3077 |archive-date=May 25, 2024 |archive-url=https://web.archive.org/web/20240525185211/https://www.theguardian.com/technology/2024/apr/05/china-using-ai-disrupt-elections |url-status=live }}</ref> | |||
⚫ | * ]<ref>{{cite web |last=Naraine |first=Ryan |title=Microsoft: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group |date=2021-03-02 |language=English |url=https://www.securityweek.com/microsoft-4-exchange-server-zero-days-under-attack-chinese-apt-group |website=securityweek.com |publisher=Wired Business Media |access-date=2021-03-03 |archive-date=July 6, 2023 |archive-url=https://web.archive.org/web/20230706202313/https://www.securityweek.com/microsoft-4-exchange-server-zero-days-under-attack-chinese-apt-group/ |url-status=live }}</ref><ref>{{cite web |last=Burt |first=Tom |title=New nation-state cyberattacks |date=2021-03-02 |language=English |url=https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/ |website=blogs.microsoft.com |publisher=Microsoft |access-date=2021-03-03 |archive-date=March 2, 2021 |archive-url=https://web.archive.org/web/20210302211855/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/ |url-status=live }}</ref> | ||
⚫ | * ]<ref name=techtarget-lightbasin>{{Cite web |url=https://www.techtarget.com/searchsecurity/news/252508413/LightBasin-hackers-spent-5-years-hiding-on-telco-networks |title='LightBasin' hackers spent 5 years hiding on telco networks |date=2021-10-20 |access-date=2022-04-08 |website=] |last=Nichols |first=Shaun |archive-date=November 29, 2023 |archive-url=https://web.archive.org/web/20231129204219/https://www.techtarget.com/searchsecurity/news/252508413/LightBasin-hackers-spent-5-years-hiding-on-telco-networks |url-status=live }}</ref><ref name=bleeping-computer-lightbasin>{{Cite web |url=https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/ |title=LightBasin hacking group breaches 13 global telecoms in two years |date=2021-10-19 |access-date=2022-04-08 |website=] |last=Ilascu |first=Ionut |archive-date=July 24, 2023 |archive-url=https://web.archive.org/web/20230724084013/https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/ |url-status=live }}</ref> (Also known as UNC1945) | ||
* Tropic Trooper<ref>{{cite news |last1=Cimpanu |first1=Catalin |title=Hackers target the air-gapped networks of the Taiwanese and Philippine military |url=https://www.zdnet.com/article/hackers-target-the-air-gapped-networks-of-the-taiwanese-and-philippine-military/ |website=] |access-date=16 May 2020 |archive-date=March 22, 2021 |archive-url=https://web.archive.org/web/20210322015315/https://www.zdnet.com/article/hackers-target-the-air-gapped-networks-of-the-taiwanese-and-philippine-military/ |url-status=live }}</ref> | |||
⚫ | * ]<ref>{{Cite web |last=Intelligence |first=Microsoft Threat |date=2023-05-24 |title=Volt Typhoon targets US critical infrastructure with living-off-the-land techniques |url=https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ |access-date=2023-05-26 |website=Microsoft Security Blog |language=en-US |archive-date=January 17, 2024 |archive-url=https://web.archive.org/web/20240117093138/https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ |url-status=live }}</ref> | ||
* Flax Typhoon<ref name=":6">{{Cite web |last=Tucker |first=Eric |date=2024-09-18 |title=FBI disrupts Chinese cyber operation targeting critical infrastructure in the US |url=https://apnews.com/article/fbi-justice-department-chinese-hacking-84e16185ae16367443a5e083adb74c8c |access-date=2024-09-18 |website=] |language=en |archive-date=September 24, 2024 |archive-url=https://web.archive.org/web/20240924130146/https://apnews.com/article/fbi-justice-department-chinese-hacking-84e16185ae16367443a5e083adb74c8c |url-status=live }}</ref> | |||
* Charcoal Typhoon (also known as CHROMIUM)<ref name="OpenAI">{{cite web|url=https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors|title=Disrupting malicious uses of AI by state-affiliated threat actors|date=February 14, 2024|access-date=February 16, 2024|archive-date=February 16, 2024|archive-url=https://web.archive.org/web/20240216151959/https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors|url-status=live}}</ref><ref name="AIThreatActors">{{cite web|url=https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai|title=Staying ahead of threat actors in the age of AI|website=]|date=February 14, 2024|access-date=February 16, 2024|archive-date=February 16, 2024|archive-url=https://web.archive.org/web/20240216163312/https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/|url-status=live}}</ref> | |||
* Salmon Typhoon (also known as SODIUM)<ref name="OpenAI"/><ref name="AIThreatActors"/> | |||
* ] (also known as GhostEmperor or FamousSparrow)<ref>{{Cite news |last1=Krouse |first1=Sarah |last2=McMillan |first2=Robert |last3=Volz |first3=Dustin |date=September 25, 2024 |title=China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack |url=https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835 |url-access=subscription |access-date=September 25, 2024 |work=]}}</ref><ref>{{Cite news |last1=Krouse |first1=Sarah |last2=Volz |first2=Dustin |last3=Viswanatha |first3=Aruna |last4=McMillan |first4=Robert |date=October 5, 2024 |title=U.S. Wiretap Systems Targeted in China-Linked Hack |url=https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b |url-access=subscription |url-status=live |archive-url=https://web.archive.org/web/20241005025020/https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b |archive-date=October 5, 2024 |access-date=October 5, 2024 |work=]}}</ref> | |||
* Liminal Panda<ref>{{Cite news |last=Sabin |first=Sam |date=November 19, 2024 |title=New China-linked telco attackers |url=https://www.axios.com/2024/11/19/exclusive-new-china-linked-telco-attackers-codebook |access-date=November 19, 2024 |work=]}}</ref> | |||
=== Iran === | === Iran === | ||
Line 94: | Line 100: | ||
* ] (also known as APT33) | * ] (also known as APT33) | ||
* ] (also known as APT34) | * ] (also known as APT34) | ||
* Pioneer Kitten<ref>{{Cite web|last=Montalbano|first=Elizabeth |
* Pioneer Kitten<ref>{{Cite web|last=Montalbano|first=Elizabeth|url=https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/|title=Pioneer Kitten APT Sells Corporate Network Access|website=Threat Post|date=September 1, 2020|access-date=3 September 2020|archive-date=22 March 2021|archive-url=https://web.archive.org/web/20210322015301/https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/|url-status=live}}</ref> | ||
* Remix Kitten (also known as APT39, ITG07, or Chafer)<ref>{{Cite web |title=APT39, ITG07, Chafer, Remix Kitten, Group G0087 {{!}} MITRE ATT&CK® |url=https://attack.mitre.org/groups/G0087/ |access-date=2022-12-30 |website=attack.mitre.org}}</ref><ref>{{Cite web |date=2020 |title=Crowdstrike Global Threat Report 2020 |url=https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf|access-date=2020-12-30 |website=crowdstrike.com|archive-url=https://web.archive.org/web/20200314121317/https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf|archive-date=2020-03-14|url-status=live}}</ref> | * Remix Kitten (also known as APT39, ITG07, or Chafer)<ref>{{Cite web |title=APT39, ITG07, Chafer, Remix Kitten, Group G0087 {{!}} MITRE ATT&CK® |url=https://attack.mitre.org/groups/G0087/ |access-date=2022-12-30 |website=attack.mitre.org |archive-date=30 December 2022 |archive-url=https://web.archive.org/web/20221230215710/https://attack.mitre.org/groups/G0087/ |url-status=live }}</ref><ref>{{Cite web |date=2020 |title=Crowdstrike Global Threat Report 2020 |url=https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf|access-date=2020-12-30 |website=crowdstrike.com|archive-url=https://web.archive.org/web/20200314121317/https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf|archive-date=2020-03-14|url-status=live}}</ref> | ||
=== North Korea === | === North Korea === | ||
Line 107: | Line 113: | ||
* ] (also known as APT28) | * ] (also known as APT28) | ||
* ] | * ] | ||
* ]<ref name=venturebeatFeb2022>{{cite web|title=Microsoft discloses new details on Russian hacker group Gamaredon|author=Kyle Alspach|work=]|date=4 February 2022|access-date=22 March 2022|url=https://venturebeat.com/2022/02/04/microsoft-discloses-new-details-on-russian-hacker-group-gamaredon/}}</ref> (also known as ]) {{efn|active since 2013, unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially ] organizations<ref name=zdnet21March2022/>) and appears to provide services for other APTs.<ref name=TalosGamaredon>{{cite web|title=Gamaredon - When nation states don't pay all the bills|author1=Warren Mercer|author2=Vitor Ventura|work=Cisco|date=23 February 2021|access-date=22 March 2022|url=https://blog.talosintelligence.com/2021/02/gamaredonactivities.html}}</ref> For example, the ] threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted.<ref name=zdnet21March2022>{{cite web|title=Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers|author=Charlie Osborne|website=] |
* ]<ref name=venturebeatFeb2022>{{cite web|title=Microsoft discloses new details on Russian hacker group Gamaredon|author=Kyle Alspach|work=]|date=4 February 2022|access-date=22 March 2022|url=https://venturebeat.com/2022/02/04/microsoft-discloses-new-details-on-russian-hacker-group-gamaredon/|archive-date=6 February 2022|archive-url=https://web.archive.org/web/20220206082258/https://venturebeat.com/2022/02/04/microsoft-discloses-new-details-on-russian-hacker-group-gamaredon/|url-status=live}}</ref> (also known as ]) {{efn|active since 2013, unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially ] organizations<ref name=zdnet21March2022/>) and appears to provide services for other APTs.<ref name=TalosGamaredon>{{cite web|title=Gamaredon - When nation states don't pay all the bills|author1=Warren Mercer|author2=Vitor Ventura|work=Cisco|date=23 February 2021|access-date=22 March 2022|url=https://blog.talosintelligence.com/2021/02/gamaredonactivities.html|archive-date=19 March 2022|archive-url=https://web.archive.org/web/20220319134527/https://blog.talosintelligence.com/2021/02/gamaredonactivities.html|url-status=live}}</ref> For example, the ] threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted.<ref name=zdnet21March2022>{{cite web|title=Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers|author=Charlie Osborne|website=]|date=21 March 2022|access-date=22 March 2022|url=https://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/|archive-date=22 March 2022|archive-url=https://web.archive.org/web/20220322165716/https://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/|url-status=live}}</ref>}} | ||
* ] | * ] (also known as APT44) | ||
* ]<ref>{{Cite web |title=Adversary: Venomous Bear - Threat Actor |url=https://adversary.crowdstrike.com/en-US/adversary/venomous-bear/ |access-date=2022-03-22 |website=Crowdstrike Adversary Universe |language=en-US}}</ref> | * ]<ref>{{Cite web |title=Adversary: Venomous Bear - Threat Actor |url=https://adversary.crowdstrike.com/en-US/adversary/venomous-bear/ |access-date=2022-03-22 |website=Crowdstrike Adversary Universe |language=en-US}}</ref> | ||
=== |
===Turkey=== | ||
* ] (also known as ] or ])<ref name=PROMETHIUM>{{cite web|title=PROMETHIUM extends global reach with StrongPity3 APT|author1=Warren Mercer|author2=Paul Rascagneres|author3=Vitor Ventura|work=Cisco|date=29 June 2020|access-date=22 March 2022|url=https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}}</ref> | * ] (also known as ] or ])<ref name=PROMETHIUM>{{cite web|title=PROMETHIUM extends global reach with StrongPity3 APT|author1=Warren Mercer|author2=Paul Rascagneres|author3=Vitor Ventura|work=Cisco|date=29 June 2020|access-date=22 March 2022|url=https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html|archive-date=22 March 2022|archive-url=https://web.archive.org/web/20220322224729/https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html|url-status=live}}</ref> | ||
=== United States === | === United States === | ||
Line 118: | Line 124: | ||
=== Uzbekistan === | === Uzbekistan === | ||
* SandCat, associated with the ] according to Kaspersky<ref>{{cite web |last1=Gallagher |first1=Sean |title=Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV |url=https://arstechnica.com/information-technology/2019/10/kaspersky-finds-uzbekistan-hacking-opbecause-they-used-kaspersky-av/ |website=arstechnica.com |date=3 October 2019 |publisher=Ars Technica |access-date=5 October 2019}}</ref> | * SandCat, associated with the ] according to Kaspersky<ref>{{cite web |last1=Gallagher |first1=Sean |title=Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV |url=https://arstechnica.com/information-technology/2019/10/kaspersky-finds-uzbekistan-hacking-opbecause-they-used-kaspersky-av/ |website=arstechnica.com |date=3 October 2019 |publisher=Ars Technica |access-date=5 October 2019 |archive-date=22 March 2021 |archive-url=https://web.archive.org/web/20210322015356/https://arstechnica.com/information-technology/2019/10/kaspersky-finds-uzbekistan-hacking-opbecause-they-used-kaspersky-av/ |url-status=live }}</ref> | ||
=== Vietnam === | === Vietnam === | ||
* ] (also known as ])<ref>{{cite web |last1=Panda |first1=Ankit |title=Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19 |url=https://thediplomat.com/2020/04/offensive-cyber-capabilities-and-public-health-intelligence-vietnam-apt32-and-covid-19/ |website=thediplomat.com |publisher=The Diplomat |access-date=29 April 2020}}</ref><ref>{{cite news |title=Lined up in the sights of Vietnamese hackers |url=https://web.br.de/interaktiv/ocean-lotus/en/ |first1=Hakan |last1=Tanriverdi |first2=Max |last2=Zierer |first3=Ann-Kathrin |last3=Wetter |first4=Kai |last4=Biermann |first5=Thi Do |last5=Nguyen |publisher=] |date=October 8, 2020 |editor-first=Verena |editor-last=Nierle |editor2-first=Robert |editor2-last=Schöffel |editor3-first=Lisa |editor3-last=Wreschniok |quote=In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots.}}</ref> | * ] (also known as ])<ref>{{cite web |last1=Panda |first1=Ankit |title=Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19 |url=https://thediplomat.com/2020/04/offensive-cyber-capabilities-and-public-health-intelligence-vietnam-apt32-and-covid-19/ |website=thediplomat.com |publisher=The Diplomat |access-date=29 April 2020 |archive-date=22 March 2021 |archive-url=https://web.archive.org/web/20210322015324/https://thediplomat.com/2020/04/offensive-cyber-capabilities-and-public-health-intelligence-vietnam-apt32-and-covid-19/ |url-status=live }}</ref><ref>{{cite news |title=Lined up in the sights of Vietnamese hackers |url=https://web.br.de/interaktiv/ocean-lotus/en/ |first1=Hakan |last1=Tanriverdi |first2=Max |last2=Zierer |first3=Ann-Kathrin |last3=Wetter |first4=Kai |last4=Biermann |first5=Thi Do |last5=Nguyen |publisher=] |date=October 8, 2020 |editor-first=Verena |editor-last=Nierle |editor2-first=Robert |editor2-last=Schöffel |editor3-first=Lisa |editor3-last=Wreschniok |quote=In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots. |access-date=11 October 2020 |archive-date=22 March 2021 |archive-url=https://web.archive.org/web/20210322015304/https://web.br.de/interaktiv/ocean-lotus/en/ |url-status=live }}</ref> | ||
==Naming== | ==Naming== | ||
Multiple organizations may assign different names to the same actor. As separate researchers could each have their own varying assessments of an APT group, companies such as ], ], ], and ], among others, have their own internal naming schemes.<ref name="threat-group-naming-schemes">{{cite web |author=BushidoToken|title=Threat Group Naming Schemes In Cyber Threat Intelligence |date=20 May 2022 |url=https://www.curatedintel.org/2022/05/threat-group-naming-schemes-in-cyber.html |publisher=Curated Intelligence |access-date=21 January 2024}}</ref> Names between different organizations may refer to overlapping but ultimately different groups, based on various data gathered. | Multiple organizations may assign different names to the same actor. As separate researchers could each have their own varying assessments of an APT group, companies such as ], ], ], and ], among others, have their own internal naming schemes.<ref name="threat-group-naming-schemes">{{cite web |author=BushidoToken |title=Threat Group Naming Schemes In Cyber Threat Intelligence |date=20 May 2022 |url=https://www.curatedintel.org/2022/05/threat-group-naming-schemes-in-cyber.html |publisher=Curated Intelligence |access-date=21 January 2024 |archive-date=8 December 2023 |archive-url=https://web.archive.org/web/20231208025624/https://www.curatedintel.org/2022/05/threat-group-naming-schemes-in-cyber.html |url-status=live }}</ref> Names between different organizations may refer to overlapping but ultimately different groups, based on various data gathered. | ||
CrowdStrike assigns animals by nation-state or other category, such as "Kitten" for Iran and "Spider" for groups focused on cybercrime.<ref name="cs-2023-gtr">{{cite web |title=CrowdStrike 2023 Global Threat Report |url=https://iitd.com.ua/wp-content/uploads/2023/03/crowdstrike2023globalthreatreport.pdf |publisher=CrowdStrike |access-date=21 January 2024}}</ref> Other companies have named groups based on this system {{emdash}} Rampant Kitten, for instance, was named by Check Point rather than CrowdStrike.<ref name="etda-rk">{{cite web |title=Rampant Kitten |url=https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Rampant%20Kitten |publisher=Thailand Electronic Transactions Development Agency |access-date=21 January 2024}}</ref> | CrowdStrike assigns animals by nation-state or other category, such as "Kitten" for Iran and "Spider" for groups focused on cybercrime.<ref name="cs-2023-gtr">{{cite web |title=CrowdStrike 2023 Global Threat Report |url=https://iitd.com.ua/wp-content/uploads/2023/03/crowdstrike2023globalthreatreport.pdf |publisher=CrowdStrike |access-date=21 January 2024 |archive-date=26 March 2024 |archive-url=https://web.archive.org/web/20240326233326/https://iitd.com.ua/wp-content/uploads/2023/03/crowdstrike2023globalthreatreport.pdf |url-status=live }}</ref> Other companies have named groups based on this system {{emdash}} Rampant Kitten, for instance, was named by Check Point rather than CrowdStrike.<ref name="etda-rk">{{cite web |title=Rampant Kitten |url=https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Rampant%20Kitten |publisher=Thailand Electronic Transactions Development Agency |access-date=21 January 2024 |archive-date=29 November 2022 |archive-url=https://web.archive.org/web/20221129105244/https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Rampant%20Kitten |url-status=live }}</ref> | ||
Dragos bases its names for APT groups on minerals.<ref name="threat-group-naming-schemes"/> | Dragos bases its names for APT groups on minerals.<ref name="threat-group-naming-schemes"/> | ||
Line 132: | Line 138: | ||
Mandiant assigns numbered acronyms in three categories, APT, FIN, and UNC, resulting in APT names like ]. Other companies using a similar system include Proofpoint (TA) and IBM (ITG and Hive).<ref name="threat-group-naming-schemes"/> | Mandiant assigns numbered acronyms in three categories, APT, FIN, and UNC, resulting in APT names like ]. Other companies using a similar system include Proofpoint (TA) and IBM (ITG and Hive).<ref name="threat-group-naming-schemes"/> | ||
Microsoft used to assign names from the ], often stylized in all-caps (e.g. ]); in April 2023, Microsoft changed its naming schema to use weather-based names (e.g. Volt Typhoon).<ref name="ms-lambert-23">{{cite web |last1=Lambert |first1=John |title=Microsoft shifts to a new threat actor naming taxonomy |url=https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/ |publisher=Microsoft |access-date=21 January 2024 |date=April 18, 2023}}</ref> | Microsoft used to assign names from the ], often stylized in all-caps (e.g. ]); in April 2023, Microsoft changed its naming schema to use weather-based names (e.g. Volt Typhoon).<ref name="ms-lambert-23">{{cite web |last1=Lambert |first1=John |title=Microsoft shifts to a new threat actor naming taxonomy |url=https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/ |publisher=Microsoft |access-date=21 January 2024 |date=April 18, 2023 |archive-date=22 January 2024 |archive-url=https://web.archive.org/web/20240122164844/https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/ |url-status=live }}</ref> | ||
== See also == | == See also == | ||
Line 161: | Line 167: | ||
{{Reflist}} | {{Reflist}} | ||
== |
== External links == | ||
* Gartner | |||
* | |||
* | |||
* {{Webarchive|url=https://web.archive.org/web/20200726160607/https://cradpdf.drdc-rddc.gc.ca/PDFS/unc159/p537638_A1b.pdf |date=2020-07-26 }} | |||
* | |||
* | |||
* | |||
* | |||
; Lists of APT groups | ; Lists of APT groups | ||
* | * | ||
* | * | ||
Latest revision as of 06:17, 22 December 2024
Set of stealthy and continuous computer hacking processesAn advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.
Such threat actors' motivations are typically political or economic. Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more. Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software).
APT attacks on mobile devices have also become a legitimate concern, since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop, steal, and tamper with data.
The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. FireEye reported the mean dwell-time for 2018 in the Americas as 71 days, EMEA as 177 days, and APAC as 204 days. Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objectives.
Definition
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:
- Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.
- Persistent – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
- Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.
History and targets
Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006 with Colonel Greg Rattray cited as the individual who coined the term.
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks. Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.
Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest. The United States Cyber Command is tasked with coordinating the US military's offensive and defensive cyber operations.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of sovereign states. Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:
- Agriculture
- Energy
- Financial institutions
- Health care
- Higher education
- Manufacturing
- Technology
- Telecommunications
- Transportation
A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.
Life cycle
Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process or kill chain:
- Target specific organizations for a singular objective
- Attempt to gain a foothold in the environment (common tactics include spear phishing emails)
- Use the compromised systems as access into the target network
- Deploy additional tools that help fulfill the attack objective
- Cover tracks to maintain access for future initiatives
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013 that followed similar lifecycle:
- Initial compromise – performed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees will be likely to visit.
- Establish foothold – plant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
- Escalate privileges – use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
- Internal reconnaissance – collect information on surrounding infrastructure, trust relationships, Windows domain structure.
- Move laterally – expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
- Maintain presence – ensure continued control over access channels and credentials acquired in previous steps.
- Complete mission – exfiltrate stolen data from victim's network.
In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years. The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks.
Previous reports from Secdev had previously discovered and implicated Chinese actors.
Mitigation strategies
There are tens of millions of malware variations, which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs. Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying cyber threat intelligence to hunt and adversary pursuit activities. Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that are neither well understood nor mitigated, constituting a significant attack vector.
APT groups
China
See also: Cyberwarfare by China, Chinese information operations and information warfare, and Chinese intelligence activity abroad- PLA Unit 61398 (also known as APT1)
- PLA Unit 61486 (also known as APT2)
- Buckeye (also known as APT3)
- Red Apollo (also known as APT10)
- Numbered Panda (also known as APT12)
- DeputyDog (also known as APT17)
- Dynamite Panda or Scandium (also known as APT18, a unit of the People's Liberation Army Navy)
- Codoso Team (also known as APT19)
- Wocao (also known as APT20)
- APT22 (aka Suckfly)
- APT26 (aka Turbine Panda)
- APT 27
- PLA Unit 78020 (also known as APT30 and Naikon)
- Zirconium (also known as APT31 and Violet Typhoon)
- Periscope Group (also known as APT40)
- Double Dragon (also known as APT41, Winnti Group, Barium, or Axiom)
- Spamouflage (also known as Dragonbridge or Storm 1376)
- Hafnium
- LightBasin (Also known as UNC1945)
- Tropic Trooper
- Volt Typhoon
- Flax Typhoon
- Charcoal Typhoon (also known as CHROMIUM)
- Salmon Typhoon (also known as SODIUM)
- Salt Typhoon (also known as GhostEmperor or FamousSparrow)
- Liminal Panda
Iran
- Charming Kitten (also known as APT35)
- Elfin Team (also known as APT33)
- Helix Kitten (also known as APT34)
- Pioneer Kitten
- Remix Kitten (also known as APT39, ITG07, or Chafer)
North Korea
- Kimsuky
- Lazarus Group (also known as APT38)
- Ricochet Chollima (also known as APT37)
Russia
- Berserk Bear
- Cozy Bear (also known as APT29)
- Fancy Bear (also known as APT28)
- FIN7
- Gamaredon (also known as Primitive Bear)
- Sandworm (also known as APT44)
- Venomous Bear
Turkey
- StrongPity (also known as APT-C-41 or PROMETHIUM)
United States
Uzbekistan
- SandCat, associated with the State Security Service according to Kaspersky
Vietnam
- OceanLotus (also known as APT32)
Naming
Multiple organizations may assign different names to the same actor. As separate researchers could each have their own varying assessments of an APT group, companies such as CrowdStrike, Kaspersky, Mandiant, and Microsoft, among others, have their own internal naming schemes. Names between different organizations may refer to overlapping but ultimately different groups, based on various data gathered.
CrowdStrike assigns animals by nation-state or other category, such as "Kitten" for Iran and "Spider" for groups focused on cybercrime. Other companies have named groups based on this system — Rampant Kitten, for instance, was named by Check Point rather than CrowdStrike.
Dragos bases its names for APT groups on minerals.
Mandiant assigns numbered acronyms in three categories, APT, FIN, and UNC, resulting in APT names like FIN7. Other companies using a similar system include Proofpoint (TA) and IBM (ITG and Hive).
Microsoft used to assign names from the periodic table, often stylized in all-caps (e.g. POTASSIUM); in April 2023, Microsoft changed its naming schema to use weather-based names (e.g. Volt Typhoon).
See also
- Bureau 121
- Chinese intelligence activity abroad
- Cyber spying
- Darkhotel
- Fileless malware
- Ghostnet
- Kill chain
- NetSpectre
- Operation Aurora
- Operation Shady RAT
- Proactive cyber defence
- Spear-phishing
- Spyware
- Stuxnet
- Tailored Access Operations
- Unit 180
- Unit 8200
Notes
- active since 2013, unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially Ukrainian organizations) and appears to provide services for other APTs. For example, the InvisiMole threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted.
References
- "What Is an Advanced Persistent Threat (APT)?". www.kaspersky.com. Archived from the original on 22 March 2021. Retrieved 11 August 2019.
- "What Is an Advanced Persistent Threat (APT)?". Cisco. Archived from the original on 22 March 2021. Retrieved 11 August 2019.
- ^ Maloney, Sarah. "What is an Advanced Persistent Threat (APT)?". Archived from the original on 7 April 2019. Retrieved 9 November 2018.
- Cole., Eric (2013). Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Syngress. OCLC 939843912.
- ^ "M-Trends Cyber Security Trends". FireEye. Archived from the original on 21 September 2021. Retrieved 11 August 2019.
- "Cyber Threats to the Financial Services and Insurance Industries" (PDF). FireEye. Archived from the original (PDF) on 11 August 2019.
- "Cyber Threats to the Retail and Consumer Goods Industry" (PDF). FireEye. Archived from the original (PDF) on 11 August 2019.
- "Advanced Persistent Threats: A Symantec Perspective" (PDF). Symantec. Archived from the original (PDF) on 8 May 2018.
- Au, Man Ho (2018). "Privacy-preserving personal data operation on mobile cloud—Chances and challenges over advanced persistent threat". Future Generation Computer Systems. 79: 337–349. doi:10.1016/j.future.2017.06.021.
- ^ "Advanced Persistent Threats (APTs)". IT Governance. Archived from the original on 11 August 2019. Retrieved 11 August 2019.
- "Advanced persistent Threat Awareness" (PDF). TrendMicro Inc. Archived (PDF) from the original on 10 June 2016. Retrieved 11 August 2019.
- "Explained: Advanced Persistent Threat (APT)". Malwarebytes Labs. 26 July 2016. Archived from the original on 9 May 2019. Retrieved 11 August 2019.
- "Assessing Outbound Traffic to Uncover Advanced Persistent Threat" (PDF). SANS Technology Institute. Archived from the original (PDF) on 26 June 2013. Retrieved 14 April 2013.
- "Introducing Forrester's Cyber Threat Intelligence Research". Forrester Research. Archived from the original on 15 April 2014. Retrieved 14 April 2014.
- Beim, Jared (2018). "Enforcing a Prohibition on International Espionage". Chicago Journal of International Law. 18: 647–672. ProQuest 2012381493. Archived from the original on 22 May 2021. Retrieved 18 January 2023.
- "Advanced Persistent Threats: Learn the ABCs of APTs - Part A". SecureWorks. Archived from the original on 7 April 2019. Retrieved 23 January 2017.
- Olavsrud, Thor (30 April 2012). "Targeted Attacks Increased, Became More Diverse in 2011". CIO Magazine. Archived from the original on 14 April 2021. Retrieved 14 April 2021.
- "An Evolving Crisis". BusinessWeek. 10 April 2008. Archived from the original on 10 January 2010. Retrieved 20 January 2010.
- "The New E-spionage Threat". BusinessWeek. 10 April 2008. Archived from the original on 18 April 2011. Retrieved 19 March 2011.
- Rosenbach, Marcel; Schulz, Thomas; Wagner, Wieland (19 January 2010). "Google Under Attack: The High Cost of Doing Business in China". Der Spiegel. Archived from the original on 21 January 2010. Retrieved 20 January 2010.
- "Commander Discusses a Decade of DOD Cyber Power". U.S. DEPARTMENT OF DEFENSE. Archived from the original on 19 September 2020. Retrieved 28 August 2020.
- "Under Cyberthreat: Defense Contractors". Bloomberg.com. BusinessWeek. 6 July 2009. Archived from the original on 11 January 2010. Retrieved 20 January 2010.
- "Understanding the Advanced Persistent Threat". Tom Parker. 4 February 2010. Archived from the original on 18 February 2010. Retrieved 4 February 2010.
- "Advanced Persistent Threat (or Informationized Force Operations)" (PDF). Usenix, Michael K. Daly. 4 November 2009. Archived (PDF) from the original on 11 May 2021. Retrieved 4 November 2009.
- "Anatomy of an Advanced Persistent Threat (APT)". Dell SecureWorks. Archived from the original on 5 March 2016. Retrieved 21 May 2012.
- Gonzalez, Joaquin Jay III; Kemp, Roger L. (16 January 2019). Cybersecurity: Current Writings on Threats and Protection. McFarland. p. 69. ISBN 978-1-4766-7440-7.
- Ingerman, Bret; Yang, Catherine (31 May 2011). "Top-Ten IT Issues, 2011". Educause Review. Archived from the original on 14 April 2021. Retrieved 14 April 2021.
- McMahon, Dave; Rohozinski, Rafal. "The Dark Space Project: Defence R&D Canada – Centre for Security Science Contractor Report DRDC CSS CR 2013-007" (PDF). publications.gc.ca. Archived (PDF) from the original on 5 November 2016. Retrieved 1 April 2021.
- "Outmaneuvering Advanced and Evasive Malware Threats". Secureworks. Secureworks Insights. Archived from the original on 7 April 2019. Retrieved 24 February 2016.
- ^ "APT1: Exposing One of China's Cyber Espionage Units". Mandiant. 2013. Archived from the original on 2 February 2015. Retrieved 19 February 2013.
- "What are MITRE ATT&CK initial access techniques". GitGuardian - Automated Secrets Detection. 8 June 2021. Archived from the original on 29 November 2023. Retrieved 13 October 2023.
- Blanchard, Ben (19 February 2013). "China says U.S. hacking accusations lack technical proof". Reuters. Archived from the original on 14 April 2021. Retrieved 14 April 2021.
- Deibert, R.; Rohozinski, R.; Manchanda, A.; Villeneuve, N.; Walton, G (28 March 2009). "Tracking GhostNet: investigating a cyber espionage network". The Munk Centre for International Studies, University of Toronto. Archived from the original on 27 December 2023. Retrieved 27 December 2023.
- RicMessier (30 October 2013). GSEC GIAC Security Essentials Certification All. McGraw Hill Professional, 2013. p. xxv. ISBN 978-0-07-182091-2.
- "Anatomy of an APT (Advanced Persistent Threat) Attack". FireEye. Archived from the original on 7 November 2020. Retrieved 14 November 2020.
- "Threat Intelligence in an Active Cyber Defense (Part 1)". Recorded Future. 18 February 2015. Archived from the original on 20 June 2021. Retrieved 10 March 2021.
- "Threat Intelligence in an Active Cyber Defense (Part 2)". Recorded Future. 24 February 2015. Archived from the original on 27 February 2021. Retrieved 10 March 2021.
- "A Context-Centred Research Approach to Phishing and Operational Technology in Industrial Control Systems | Journal of Information Warfare". www.jinfowar.com. Archived from the original on 31 July 2021. Retrieved 31 July 2021.
- "Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak". Symantec. 7 May 2019. Archived from the original on 7 May 2019. Retrieved 23 July 2019.
- "APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic" (PDF). FireEye. May 2015. Archived (PDF) from the original on 24 November 2023. Retrieved 21 January 2024.
- "China-Based Threat Actors" (PDF). U.S. Department of Health and Human Services Office of Information Security. 16 August 2023. Archived (PDF) from the original on 29 December 2023. Retrieved 29 April 2024.
- van Dantzig, Maarten; Schamper, Erik (19 December 2019). "Wocao APT20" (PDF). fox-it.com. NCC Group. Archived from the original (PDF) on 22 March 2021. Retrieved 23 December 2019.
- Vijayan, Jai (19 December 2019). "China-Based Cyber Espionage Group Targeting Orgs in 10 Countries". www.darkreading.com. Dark Reading. Archived from the original on 7 May 2021. Retrieved 12 January 2020.
- Barth, Bradley (16 March 2016). "'Suckfly' in the ointment: Chinese APT group steals code-signing certificates". SC Media. Archived from the original on 24 September 2024. Retrieved 24 September 2024.
- "Building China's Comac C919 airplane involved a lot of hacking, report says". ZDNET. Archived from the original on 15 November 2019. Retrieved 24 September 2024.
- Lyngaas, Sean (10 August 2021). "Chinese hackers posed as Iranians to breach Israeli targets, FireEye says". www.cyberscoop.com. Archived from the original on 29 November 2023. Retrieved 15 August 2021.
- Lyngaas, Sean (12 February 2019). "Right country, wrong group? Researchers say it wasn't APT10 that hacked Norwegian software firm". www.cyberscoop.com. Cyberscoop. Archived from the original on 7 May 2021. Retrieved 16 October 2020.
- Lyngaas, Sean (16 October 2020). "Google offers details on Chinese hacking group that targeted Biden campaign". Cyberscoop. Archived from the original on 7 May 2021. Retrieved 16 October 2020.
- "How Microsoft names threat actors". Microsoft. 16 January 2024. Archived from the original on 10 July 2024. Retrieved 21 January 2024.
- "Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure". U.S. Department of the Treasury. 19 March 2024. Archived from the original on 25 March 2024. Retrieved 25 March 2024.
- "Double Dragon APT41, a dual espionage and cyber crime operation". FireEye. 16 October 2019. Archived from the original on 7 May 2021. Retrieved 14 April 2020.
- "Bureau names ransomware culprits". Taipei Times. 17 May 2020. Archived from the original on 22 March 2021. Retrieved 22 May 2020.
- Greenberg, Andy (6 August 2020). "Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry". Wired. ISSN 1059-1028. Archived from the original on 22 March 2021. Retrieved 14 July 2024.
- Sabin, Sam (26 October 2022). "New pro-China disinformation campaign targets 2022 elections: Report". Axios. Archived from the original on 26 October 2022. Retrieved 27 October 2022.
- Milmo, Dan (5 April 2024). "China will use AI to disrupt elections in the US, South Korea and India, Microsoft warns". The Guardian. ISSN 0261-3077. Archived from the original on 25 May 2024. Retrieved 7 April 2024.
- Naraine, Ryan (2 March 2021). "Microsoft: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group". securityweek.com. Wired Business Media. Archived from the original on 6 July 2023. Retrieved 3 March 2021.
- Burt, Tom (2 March 2021). "New nation-state cyberattacks". blogs.microsoft.com. Microsoft. Archived from the original on 2 March 2021. Retrieved 3 March 2021.
- Nichols, Shaun (20 October 2021). "'LightBasin' hackers spent 5 years hiding on telco networks". TechTarget. Archived from the original on 29 November 2023. Retrieved 8 April 2022.
- Ilascu, Ionut (19 October 2021). "LightBasin hacking group breaches 13 global telecoms in two years". Bleeping Computer. Archived from the original on 24 July 2023. Retrieved 8 April 2022.
- Cimpanu, Catalin. "Hackers target the air-gapped networks of the Taiwanese and Philippine military". ZDnet. Archived from the original on 22 March 2021. Retrieved 16 May 2020.
- Intelligence, Microsoft Threat (24 May 2023). "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques". Microsoft Security Blog. Archived from the original on 17 January 2024. Retrieved 26 May 2023.
- Tucker, Eric (18 September 2024). "FBI disrupts Chinese cyber operation targeting critical infrastructure in the US". Associated Press. Archived from the original on 24 September 2024. Retrieved 18 September 2024.
- ^ "Disrupting malicious uses of AI by state-affiliated threat actors". 14 February 2024. Archived from the original on 16 February 2024. Retrieved 16 February 2024.
- ^ "Staying ahead of threat actors in the age of AI". Microsoft. 14 February 2024. Archived from the original on 16 February 2024. Retrieved 16 February 2024.
- Krouse, Sarah; McMillan, Robert; Volz, Dustin (25 September 2024). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal. Retrieved 25 September 2024.
- Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (5 October 2024). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 October 2024. Retrieved 5 October 2024.
- Sabin, Sam (19 November 2024). "New China-linked telco attackers". Axios. Retrieved 19 November 2024.
- Montalbano, Elizabeth (1 September 2020). "Pioneer Kitten APT Sells Corporate Network Access". Threat Post. Archived from the original on 22 March 2021. Retrieved 3 September 2020.
- "APT39, ITG07, Chafer, Remix Kitten, Group G0087 | MITRE ATT&CK®". attack.mitre.org. Archived from the original on 30 December 2022. Retrieved 30 December 2022.
- "Crowdstrike Global Threat Report 2020" (PDF). crowdstrike.com. 2020. Archived (PDF) from the original on 14 March 2020. Retrieved 30 December 2020.
- Kyle Alspach (4 February 2022). "Microsoft discloses new details on Russian hacker group Gamaredon". VentureBeat. Archived from the original on 6 February 2022. Retrieved 22 March 2022.
- ^ Charlie Osborne (21 March 2022). "Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers". ZDNet. Archived from the original on 22 March 2022. Retrieved 22 March 2022.
- Warren Mercer; Vitor Ventura (23 February 2021). "Gamaredon - When nation states don't pay all the bills". Cisco. Archived from the original on 19 March 2022. Retrieved 22 March 2022.
- "Adversary: Venomous Bear - Threat Actor". Crowdstrike Adversary Universe. Retrieved 22 March 2022.
- Warren Mercer; Paul Rascagneres; Vitor Ventura (29 June 2020). "PROMETHIUM extends global reach with StrongPity3 APT". Cisco. Archived from the original on 22 March 2022. Retrieved 22 March 2022.
- "Equation: The Death Star of Malware Galaxy". Kaspersky Lab. 16 February 2015. Archived from the original on 11 July 2019. Retrieved 23 July 2019.
- Gallagher, Sean (3 October 2019). "Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV". arstechnica.com. Ars Technica. Archived from the original on 22 March 2021. Retrieved 5 October 2019.
- Panda, Ankit. "Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19". thediplomat.com. The Diplomat. Archived from the original on 22 March 2021. Retrieved 29 April 2020.
- Tanriverdi, Hakan; Zierer, Max; Wetter, Ann-Kathrin; Biermann, Kai; Nguyen, Thi Do (8 October 2020). Nierle, Verena; Schöffel, Robert; Wreschniok, Lisa (eds.). "Lined up in the sights of Vietnamese hackers". Bayerischer Rundfunk. Archived from the original on 22 March 2021. Retrieved 11 October 2020.
In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots.
- ^ BushidoToken (20 May 2022). "Threat Group Naming Schemes In Cyber Threat Intelligence". Curated Intelligence. Archived from the original on 8 December 2023. Retrieved 21 January 2024.
- "CrowdStrike 2023 Global Threat Report" (PDF). CrowdStrike. Archived (PDF) from the original on 26 March 2024. Retrieved 21 January 2024.
- "Rampant Kitten". Thailand Electronic Transactions Development Agency. Archived from the original on 29 November 2022. Retrieved 21 January 2024.
- Lambert, John (18 April 2023). "Microsoft shifts to a new threat actor naming taxonomy". Microsoft. Archived from the original on 22 January 2024. Retrieved 21 January 2024.
External links
- Lists of APT groups
- Mandiant: Advanced Persistent Threat Groups
- MITRE ATT&CK security community tracked Advanced Persistent Group Pages