Advanced persistent threat groups seek to access critical information and destabilize companies in critical sectors and public administrations

The era of the cautious and silent spies that John le Carré portrayed for posterity in novels such as The Spy Who Came in from the Cold ended with the end of the Cold War. Today, espionage occurs in the digital world through advanced persistent threats launched by state-sponsored cybercriminal groups that wish to obtain information from governments, companies, and foreign media or destabilize other countries.

Two advanced persistent threat campaigns launched by a Chinese and a North Korean group have become public in recent weeks. The first, SmugX, targeted embassies to obtain critical foreign policy information from European countries such as the UK, Czech Republic, and Hungary. The second, launched by the APT Kimsuky group, was aimed at stealing data from strategic actors such as research centers or the media.

These recent cases highlight a key trend in global cybersecurity: the rise of advanced persistent threats, whose impact on companies and public administrations can be devastating. As a result, improving resilience against this type of threat has become an issue of vital importance for thousands of companies and institutions around the world.

We will now take a closer look at what advanced persistent threats are, their targets, who is behind them, and how companies and administrations can prepare themselves against these dangerous threats, thanks to the services of Threat Hunting and Red Team’s exercises.

1. Deconstructing the APT concept

The three words that make up the concept of advanced persistent threats (APT) serve as a first approach to this essential issue in the world of cybersecurity:

• Advanced. The use of the adjective advanced is intended to emphasize that this type of threat employs techniques, tactics, and procedures that are more complex to prevent, detect, and combat than those used in common cyber-attacks. This implies that protection mechanisms against advanced persistent threats must also be sophisticated and innovative.
• Persistent. One of the keys to these advanced threats is their persistence. That is their extension over time. In such a way, the attacks manage to go unnoticed for an extraordinarily long time, allowing hostile actors to access a greater volume of information and cause more significant damage to the attacked organizations.
• Threats. This kind of attack poses a significant threat to companies and administrations and can have serious economic, reputational, and legal consequences and undermine the organization’s business continuity and strategy.

Beyond the three words that make up the concept, the National Institute of Standards and Technology of the United States defines advanced persistent threats by focusing on five essential aspects:

• The adversaries, their experience, their motivation, and the resources at their disposal.
• The use of multiple attack vectors.
• The objectives of hostile actors are to exfiltrate information and undermine the organization.
• The duration and evolution of the threats.
• The level of interaction required to address the objectives successfully.

2. How do advanced persistent threats differ from traditional attacks?

Based on the above, we can see what differentiates advanced persistent threats from common ones.

2.1. Typology of hostile actors

The criminals behind advanced persistent threats have sophisticated levels of expertise and considerable resources at their disposal. This allows them to design and implement much more complex attacks and have more tools at their disposal to overcome an organization’s defense mechanisms and accomplish their objectives.

APT groups stand out for their high level of expertise, clear motivation, multiple attack vectors, and well-defined goals (intellectual property theft, industrial or governmental espionage, etc.).

2.2. Attack vectors

One of the keys to differentiating advanced persistent threats and highlighting their dangerousness is the attack vectors used by hostile actors. Why?

Criminals do not resort to a single attack vector to breach a company’s IT asset but use multiple vectors, which makes advanced persistent threats more sophisticated and complex. Thus, this type of attack can combine the use of social engineering techniques, the exploitation of zero-day vulnerabilities, or the use of malware.

2.3. Duration and scope of attacks

Advanced persistent threats are not one-time attacks but seek to infiltrate the organization’s technological infrastructure and achieve maximum persistence in it, gaining, in turn, continued access over time.

This means that hostile actors must go unnoticed and ensure that the attacks remain latent in corporate or government systems and are continuously monitored until the malicious objectives are achieved.

It should also be added that APT groups seek to obtain maximum reach to infiltrate the organization’s entire technological infrastructure and gather as much information as possible.

2.4. Execution

Many cyber-attacks are implemented using automation. Advanced persistent threats, on the other hand, are characterized by manual execution. Hostile actors execute all phases of the Cyber Kill Chain to ensure they achieve their objectives.

Hence, advanced persistent threats are characterized by targeted and organized attacks based on well-defined objectives.

2.5. Specific targets

Thanks to tools that make it possible to automate cyber-attacks, many are launched against a wide range of targets. For example, a phishing campaign that targets thousands of email accounts. Advanced persistent threats, on the other hand, are directed against specific targets, such as particular professionals in a given organization.

Typical targets of APT groups include governments, companies, relevant individuals, networks, or critical infrastructure, e.g., power plants or pipelines.

This situation highlights the existence of intelligence resources and capabilities (OSINT, SOCMINT) on the part of malicious actors.

3. Targets of advanced persistent threats

The characteristics of advanced persistent threats are directly related to the targets of APT groups. These complex attacks, which combine several attack vectors and sophisticated techniques, seek to infiltrate the IT infrastructure for as long as possible without being identified to:

• Steal intellectual and/or industrial property of the attacked company.
• Steal classified or secret data, both from companies and institutions.
• Cause damage by attacking industrial control systems (ICS), potentially affecting people’s health and safety. For example, it paralyzes the activity of an electric company.
• Access personal data and private information of customers, employees, partners, or citizens.
• Take control of a corporate system.
• Obtain valuable information to launch future attacks.

4. Targeted and well-organized attacks to hit the target

In light of the characteristics and objectives we have outlined, we can ask ourselves: What are advanced persistent threats looking for?

The complexity of the actions, the level of preparation of the criminals carrying them out, and the amount of resources required to execute them successfully mean that advanced persistent threats have, first and foremost, specific targets, unlike other less complex and automated attacks.

This is why we point out that APTs are targeted attacks rather than ad hoc attacks that seek to hit as many potential victims as possible. Or, to put it more prosaically, with advanced persistent threats, criminals seek to hit the target, whereas, with mass automated attacks, they throw the net into the sea, regardless of what they get their hands on.

That said, who are advanced persistent threats targeting? Especially vital public institutions such as departments or ministries linked to security, defense, foreign policy, or research. As well as companies in critical sectors such as finance, healthcare, telecommunications, transportation, or energy.

How do hostile actors infiltrate the IT infrastructure of these types of organizations? By combining different tactics, techniques, and procedures to gain access to corporate systems, install backdoors, escalate privileges, or perform lateral movements to achieve malicious objectives.

Compared to other more straightforward attacks, advanced persistent threats develop over a long time, both because of their complexity and their mission to persist for a very long time to increase their impact on the attacked organization.

5. APT groups: Who is behind these threats?

APT groups design and execute advanced persistent threats to achieve their criminal objectives. They develop tools, techniques, tactics, and procedures that require high technical expertise and extensive experience. The complexity of advanced persistent threats requires that the criminals who are part of these groups are highly skilled and have significant resources to carry out their criminal activities.

Therefore, in many cases, such as the two mentioned at the beginning of this article, APT groups are sponsored by states.

However, there are also APT groups that do not have a direct relationship with any government. Still, they aim to infiltrate companies or administrations to extort money from them, as was the case with the attack launched by the RansomHouse group against the Hospital Clínic in Barcelona or to sell sensitive information to competitors.

Even so, the truth is that many APT groups have close ties with various states (Russia, China, Iran), and they aim to contribute to destabilizing Western states, either by attacking their institutions or their companies.

Without going any further, Tarlogic Security’s Threat Hunting team published an investigation on the APT28 group, also popularly known as Fancy Bear. This advanced persistent threat group has attacked the President of France, Emanuel Macron, the German Bundestag, the Spanish CSIC, and the US Democratic National Committee.

Advanced persistent threat groups are on the rise, and so is their impact on cybersecurity and the protection of companies, administrations, and individuals. Hence, Threat Intelligence and Threat Hunting professionals are crucial to understanding how different APT groups operate to improve resilience against their malicious actions.

5.1. MITRE ATT&CK and APT group mapping

The MITRE ATT&CK framework, which focuses on studying cybercriminals’ tactics, techniques, and procedures, collects information on APT groups. Thus, MITRE ATT&CK makes available to cybersecurity professionals and organizations data such as:

• Description of the groups.
• Compilation of all the terminologies that have been used to reference them.
• Techniques and sub-techniques they employ and how they have used them.
• The software they use to achieve their objectives and which techniques allow each solution to be carried out.

6. Intelligence and Threat Hunting to cut the Cyber Kill Chain of advanced persistent threats

How can organizations deal with advanced persistent threats? First, by cutting their Cyber Kill Chain before they can achieve their malicious goals. This is where cyber intelligence professionals and threat hunters come into play.

• Cyber intelligence services. These kinds of services are essential for detecting advanced persistent threats during their first three phases:
  • Reconnaissance
  • Weaponization
  • Distribution
• Threat Hunting Services. Threat hunters play a crucial role in the other four phases of the Cyber Kill Chain:
  • Exploitation
  • Installation
  • Command and control
  • Actions

Intelligence is critical when launching advanced persistent threats, as cybercriminals must have a precise understanding of the organizations they are targeting, their IT infrastructure, and their security strategy. It is also critical to understand what TTPs hostile actors employ when researching and developing tools or procedures to launch their attacks.

Proactive Threat Hunting professionals must track advanced persistent threats on an organization’s systems. How? By analyzing endpoint activity or detecting threats based on compromise hypotheses and using telemetry.

7. Improving resilience to advanced persistent threats

Advanced persistent threats and the groups that design and execute them threaten the security of thousands of companies, institutions, and citizens as a whole.

It is, therefore, essential that companies and public administrations improve their resilience to APTs and thus be able to improve detection, response, containment, and recovery capabilities.

Tarlogic Security offers companies and institutions Red Team and Threat Hunting services that combine offensive and defensive security capabilities to help them improve their APT resilience.

7.1. Threat Hunting services for designing improvement opportunities

Tarlogic’s Threat Hunting team continuously monitors the world’s major APT groups to analyze in depth the techniques, tactics, and procedures (TTP) employed by this class of hostile actors.

All this knowledge forms an extensive database that serves to identify and design detection opportunities to deal with new TTPs employed by APT groups.

Through this Proactive Threat Hunting strategy, Tarlogic professionals help companies improve their defensive capabilities against advanced persistent threats.

Thus, to optimize resilience against APT groups’ TTPs, an organization must be able to answer three basic questions in the affirmative:

• Is there telemetry associated with the TTP?
• Is an effective process in place to detect the TTP and analyze whether it is malicious activity?
• Can we investigate a case until the root cause of the compromise is found and assess the impact caused by the TTP?

7.2. Red Team exercises to optimize defenses

Tarlogic’s solution for companies to address advanced persistent threats also includes the provision of Red Team services to design and implement APT compromise exercises.

The cybersecurity company’s professionals agree with the company that has contracted these services in the design of the APT compromise exercise: entry vectors and impact activities. During its execution, the Tarlogic team will launch a targeted attack against the organization to:

• Access IT infrastructure.
• Infect corporate systems
• Perform lateral movements and escalate privileges.
• Control compromised assets over time, ensuring persistence in the infrastructure.
• Perform agreed impact activities, ranging from ransomware deployment to exfiltration of confidential information.

7.2.1. Benefits

What are the benefits of these engagement exercises designed and executed by a highly skilled and experienced Red Team?

• Assess the risks of an APT to an organization and its critical assets.
• Analyze the organization’s detection and response capabilities to advanced persistent threats.
• Determine the level of maturity and resilience of the company’s defensive capabilities.
• Establish possibilities for improving the defensive layers to increase resilience against APTs.
• Transmit all the knowledge generated to the Blue Team, Threat Hunting, and SOC teams, facilitating their training and greasing their level of coordination to respond effectively to advanced persistent threats.

In short, advanced persistent threats and the groups that design and implement them have become increasingly important economically and socially in recent years. These targeted and sophisticated attacks challenge the defensive capabilities of businesses and institutions worldwide.

That’s why improving resilience against advanced persistent threats has become a priority for organizations that want to be prepared to detect, respond to, and mitigate these attacks and survive their impact.

After all, as John le Carré wrote in The Mole, «What is survival? An infinite capacity for suspicion».