• Threat: The Adversary is organized, funded, motivated. There is a high level of intent to these attacks. Unlike malware that simply seeks to find any vulnerability and is cast like one would throw a fishing net, APTs are focused on a target until a mission is attained.

APTs are not actually groups of people but a description of the malware toolkits used by hackers. By examining the malware samples and correlating the metadata (the background information embedded in code) of the attacks you can discover much about the real world people on the other end in a way that code cannot tell you. By scrutinizing when malware kits are compiled, you can discover where development operations leading up to an attack occur. In most toolkits attributed to Russian hacking groups, the timecodes on their digital metadata occurs in one of the two Eastern hemisphere time zones of UTC+3 or UTC+4, indicating Eastern Europe and/or Western Russia as a likely development zone. Then there are sometimes tags in the code that indicate a similarity only found in a batch of malware like the “Sandworm” group, whose attacks were identified by a cyber security firm who noticed the code was laced with references to Frank Herbert’s book Dune.

These clues help forensic investigators piece together not only the story of a particular infection, but the trajectory of development by hackers who do not reveal themselves by name but by deed.

For example, CyberBerkut, a group of pro-Russian hackivists almost wholly focused on anti-Ukraine activity, includes subgroups who will announce their attacks as well as their ideology. CyberBerkut’s methods, tools, and remnants can be examined in the open, allowing investigators to attribute CyberBerkut’s contribution to the known attacks as they look for additional threats by groups who have aims beyond Ukraine. The same has been true for the APT29 malware sets known as COZY BEAR (aka “The Dukes”). The Finnish cybersecurity firm F-Secure found a series of malware sets that varied according to their version of development and improvements over time.

For example, private Russian hacker Dmytro Oleksiuk created a set of malware called BlackEnergy1 in 2007 to stop up networks through DDoS (distributed denial-of-service) attacks, where millions of pieces of emails or data to a single IP address create a massive internet traffic jam that stops all data flows.¹ This malware was used by a group of Russian hackers in 2008 to overwhelm the Georgian internet. In 2010 a second variant, BlackEnergy2, emerged, containing more advanced malware tools inside. Finally, Russian intelligence took it and developed BlackEnergy3. Sandworm used a malware kit named BlackEnergy3 (the 3^rd variant, or 3.0) to attack power plants in Ukraine.

In order to keep track of Advanced Persistent Threats (APTs) cyber firms designate the APTs with easily-remembered names associated with clustered behavior. They are also known by a variety of other names depending on the firms who have detected and catalogued their malware and activities. According to Richard Bejtlich of Mandiant, a cyber security firm associated with FireEye, and a former USAF information warfare agency operative, the practice came from US Air Force analysts who were working with civilians and needed a way to discuss the attacks with civilians.²

APTs work by using a combination of code, social engineering (asking innocent questions and getting secrets), and common human errors to achieve their goals. They are capable of adapting to the most up-to-date security systems. As a persistent threat, they require constant vigilance on the part of security firms, developers, governments, institutions, and private enterprise. The tools these groups use are constantly evolving, even as security firms track their development and create patches to protect from their intrusion.

A Zero-day (or written 0day) is a vulnerability in code that has remained undetected until it becomes active, giving a target zero days to manage the effects of the vulnerability. If discovered first by hackers, then the target organization is at risk unless the hacker is friendly and working for them (called a White Hat hacker). If the hacker is from a malicious group (Black Hat hackers) the hacker can exploit the vulnerability until they are detected by cyber security experts.

Many hackers develop “0day exploits” and can either use them directly or sell them. Sales of 0day exploits are lucrative business on the black-market via the Dark Web. In order to find these holes in security, hackers have to develop a comprehensive profile of the target to include what email systems are used, what operating systems are in play, and what proprietary computer systems are in use. For the Democratic National Committee hack they used a custom computer system created by NGP VAN, a specialist computer company that helps Progressive non-profits. Malware samples discussed in the CrowdStrike report on the hack showed that the attackers were custom coding components to be used for that specific attack on that specific software to get a very specific result—Watergate 2.0.3

After detecting hacking activity, the victim often helps security companies and government agencies to determine the attacker’s origin or backers. APTs from China tend to focus only on Chinese government interests, which could include activities of its neighbors, or as seen in the past few years the Chinese buildup in the South China Sea. Some well-documented APTs developed by China include Blue Termite, The Elderwood Platform, Hidden Lynx, Deep Panda, and Putter Panda (APT2). Computer security authorities have identified APT1 as departments of the Chinese People’s Liberation Army (PLA) and also carries the APT name, “PLA Unit 61398.” It is well known for its focus on U.S. technology firms.

The Iranians are often labeled under APT names associated with Kittens. Rocket Kitten, for instance was credited in August of 2016 for cracking the Telegram encryption, constituting a threat to dissidents in or related to Iran. Other groups included Flying Kitten, Magic Kitten, and Clever Kitten just to name a few.

The Russians, similar to the Chinese, focus on Eastern Europe, NATO forces, the United States, and opposition to Russian interests. These attacks range from hits on a power station in Ukraine to an attack on the World Anti-Doping Agency in August 2016. While many firms do not directly attribute attacks to nation states capriciously, they do reveal the metadata patterns that indicate Russian or Chinese involvement, including examples of the OS the hackers used to compile the malware, IP ranges associated with spear-phishing-waterhole attacks, to the domain names used to spoof the target into clicking on hot links. Unlike Russian cyber criminals, Russian government APTs are focused almost purely on cyber espionage.

Criminal APTs or CRIMINAL BEARS, like Anunak/Carbanak and BuhTrap clearly focus on banking institutions across the world. First detected in December 2013, Carbanak stole well over a $1 billion in strikes against U.S. retailers, including office retailer Staples. They use very similar methods to other APTs, such as spear-phishing campaigns. Spearphishing is a malicious, fraudulent email that appears to come from a trusted source. It generally contains a hyperlink to a false sign-in page to enter your passwords, credit card, or other information. It could also be a direct link to a virus.

Like the nation-state actors, the Carbanak method of stealing financial data exploits malware with a backdoor that replicates itself as “svhost.exe” before it connects to a command-and-control server to download more files and begin probing for more vulnerabilities. The APT can then download additional tools to take control over the infected computer, including keylogging, as well as capturing data from screen captures, microphones, and video cameras. Carbanak has even documented their operations in video form to evaluate the process and train others. The data that this group seeks to exfiltrate may go beyond financial information alone, but the primary goal has been to steal funds via fraudulent transactions.