APT Explained: From Nation-State Actors to Naming Conventions

APTs (Advanced Persistent Threats) are sophisticated threat groups, usually financially backed by countries, that perform well-targeted attacks on an organization, nation, or state.

The goals of APTs are primarily to

• Steal sensitive information, such as state secrets and intellectual property (IP).
• Intentionally destroy or disrupt technical infrastructure to gain a military, financial, or political advantage.
• Steal financial resources, payment details, or sell stolen customer data.

• Motivation - The primary motivation of APTs is generally to establish a financial, political, or strategic takeover. Unlike usual attackers, they don’t pursue every loophole or opportunity that comes their way and are often focused on high-value targets.
• Complexity - APTs are different from traditional attackers. They use custom-made malware, complicated attack techniques, and other sophisticated custom methods to attack the target.
• Duration - APTs generally establish a long-term, persistent backdoor or command and control channel with the target, often for years, without being noticed.
• Targeted - The attacks by APTs are highly targeted. They don’t exploit random vulnerabilities in random organizations. Instead, they perform a spearheaded attack on their target, and these targets are usually high-value entities like governments, very large corporations, or critical infrastructure.
• Backup - They are generally backed by nations, states, or very large organizations that fund them financially and technically to implement the attack.

There are two main factors that can be used to identify if an attack can be attributed to an APT or if it is a random attack:

Technical Identification - APTs often create customized and complex threat vectors, malware, and techniques. These unique signatures and methods can be used as an indicator to identify if the actors behind an attack are an APT.

Context - Attacks by APTs are usually conducted for geopolitical, military, or financial gain. Understanding the context behind an attack can help identify the APT or the sponsor behind it.

These are APTs that are sponsored, funded, directed, and backed by a government to conduct cyber operations.

Motivation - The intention of such attacks is usually to steal political, military, or economy-related sensitive data, conduct IP theft, and damage the critical infrastructure of an organization, or even influence public opinion on elections.

Targets - Targets for these groups include governments, defense contractors, journalist organizations, energy-related organizations, and more.

These APTs target large organizations with custom attacks or zero-day vulnerabilities, often in ransomware attacks.

Motivation - Financial gain. This is usually done through ransomware attacks, stealing users' banking details, credit card data, and more.

Target - Financial institutions, hospitals, and healthcare sectors.

These are APTs associated with goals that promote political agendas or ideologies.

The naming conventions of APT groups are often based on geographic or nation-state associations. The APTs are usually named after animals that represent the country or region to which they belong.

Bears The bear is the national symbol of Russia; therefore, it is associated with Russian APT groups.

Eg: Cozy Bear (APT29) and Fancy Bear (APT28)

Pandas The panda is an iconic symbol of China and represents Chinese APT groups.

Eg: Elderwood Panda

Falcons These are a symbol of strength and pride in Middle Eastern and North African cultures.

Eg: Desert Falcon

Various cybersecurity companies, antivirus vendors, researchers, and attribution organizations like CrowdStrike use different naming conventions based on the country or state of origin.

Therefore, a common reference sheet titled "APT Groups & Operations" has been created, which provides clear-cut, well-structured details of these groups.

https://docs.google.com/spreadsheets/d/1H9xaxQHpWaa4OSon4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml?embedable=true

\