Advanced Persistent Threat Groups – The Stealth Attacker

On January 25, 2021, Google’s Threat Analysis Group (TAG) announced that over the past several months, it had identified an ongoing campaign by a North Korean government-backed advanced persistent threat (APT) group. According to Google, the group of hackers created fake social media profiles and established communication with cybersecurity researchers. The hackers then proposed a collaboration on vulnerability research and sent the researchers a link to a Visual Studio Project, which contained malicious code.

Attacks launched by APT groups are on the rise. In response, the market for protection against such attacks is growing as well.

So let’s discuss this type of criminal activity. Who are these groups? What are they after? And do they pose a threat to your organization?

What makes APT groups so dangerous

An APT group is a type of criminal cyber group – often state-sponsored – that tries to gain unauthorized access to a network and, once successful, stays undetected for weeks, or even months, in an attempt to maximize the amount of data they exfiltrate or compromise.

The reason APT groups tend to be more dangerous is their motivation, which is typically economic, national security, or political in nature. The goal is to undermine an enemy-state. That’s why APT groups act in a stealth manner. Once they gain access to a network, they make every effort not to raise any red flags in the system, slowly but surely stealing data or otherwise compromising its integrity.

Furthermore, APT groups tend to repeat their attack attempts on targets over and over again in the hopes of maximizing the damage.

How APT groups launch their attacks

APT groups, like other hackers, employ a range of tactics to infiltrate a network: zero-day exploits, spyware, phishing and spear-phishing, social engineering, trojan ransomware, and others.

Sometimes, APT groups “outsource” the hacking part. They purchase information on the dark web from smaller cybercriminal groups, taking over the attack.

Who APT groups target

Since APT’s motivations are largely political or economic, they often target government organizations, military facilities, research facilities and think tanks, and healthcare organizations.

In 2018, the Singapore government announced that its health system got hacked by, what they believed to be, a state-sponsored APT actor. The attack involved the exfiltration of politicians’ medical records. Government organizations may seem like the most obvious target – and, indeed, they are experiencing a significant amount of such attacks – but are far from being the only target.

APT groups are after sensitive, confidential information. Such information comes in different forms. For example, healthcare organizations possess such patient information as medical records, addresses, social security numbers, etc. Municipalities are a treasure trove of sensitive data – payment information of the constituents, their addresses, financial records, etc. Educational institutions often conduct important research, making them a target of APT attacks.

How to protect from APT attacks

Of course, there is the standard list of protection measures your organization should take: employee training, anti-malware software, a firewall, etc. However, to protect from APT attacks – or rather to minimize the risk of an attack succeeding – organization must also invest in an intrusion prevention system and a threat detection and prevention solution, create a sandbox environment to run new programs and applications, and, ideally, switch to a zero-trust infrastructure.

Finally, your network’s logs should be constantly analyzed by an AI- and ML-enabled solution, which will be able to spot suspicious behavior and make connections that your IT team may not be able to do on their own due to the volume of log data.