Английская Википедия:Advanced persistent threat
Шаблон:Short description Шаблон:Use dmy dates An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.[3]
Such threat actors' motivations are typically political or economic.[4] Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more.[5][6][7] Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software).[8]
APT attacks on mobile devices has also become a legitimate concern, since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop, steal, and temper data.[9]
The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. FireEye reported the mean dwell-time for 2018 in the Americas as 71 days, EMEA as 177 days, and APAC as 204 days.[5] Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objective.
Definition
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:
- Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.[3][10][11]
- Persistent – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.[10][12]
- Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.[3][10]
History and targets
Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006[13] with Colonel Greg Rattray cited as the individual who coined the term.[14]
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.Шаблон:Citation needed[15]
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks.[16] Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.[17]
Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest.[18][19][20] The United States Cyber Command is tasked with coordinating the US military's offensive and defensive cyber operations.[21]
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of sovereign states.[22][23][24] Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:[25]
- Agriculture[26]
- Energy
- Financial institutions
- Health care
- Higher education[27]
- Manufacturing
- Technology
- Telecommunications
- Transportation
A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.[28]
Life cycle
Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation[29] by following a continuous process or kill chain:
- Target specific organizations for a singular objective
- Attempt to gain a foothold in the environment (common tactics include spear phishing emails)
- Use the compromised systems as access into the target network
- Deploy additional tools that help fulfill the attack objective
- Cover tracks to maintain access for future initiatives
The global landscape of APT's from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method.[30]
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013[31] that followed similar lifecycle:
- Initial compromiseШаблон:Sndperformed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees will be likely to visit.[32]
- Establish footholdШаблон:Sndplant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
- Escalate privilegesШаблон:Snduse exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
- Internal reconnaissanceШаблон:Sndcollect information on surrounding infrastructure, trust relationships, Windows domain structure.
- Move laterallyШаблон:Sndexpand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
- Maintain presenceШаблон:Sndensure continued control over access channels and credentials acquired in previous steps.
- Complete missionШаблон:Sndexfiltrate stolen data from victim's network.
In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years.[31] The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks.[33]
Previous reports from Secdev had previously discovered and implicated Chinese actors.[34]
Mitigation strategies
There are tens of millions of malware variations,[35] which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs.[36] Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying cyber threat intelligence to hunt and adversary pursuit activities.[37][38] Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that are neither well understood nor mitigated, constituting a significant attack vector.[39]
APT groups
China
Шаблон:Further Since Xi Jinping became General Secretary of the Chinese Communist Party in 2012, the Ministry of State Security gained more responsibility over cyberespionage vis-à-vis the People's Liberation Army, and currently oversees various APT groups.[40] According to security researcher Timo Steffens "The APT landscape in China is run in a 'whole country' approach, leveraging skills from universities, individual, and private and public sectors."[41]
- PLA Unit 61398 (also known as APT1)
- PLA Unit 61486 (also known as APT2)
- Buckeye (also known as APT3)[42]
- Red Apollo (also known as APT10)
- Numbered Panda (also known as APT12)
- DeputyDog (also known as APT17)[43]
- Codoso Team (also known as APT19)
- Wocao (also known as APT20)[44][45]
- APT 27[46]
- PLA Unit 78020 (also known as APT30 and Naikon)
- Zirconium[47] (also known as APT31)[48]
- Periscope Group (also known as APT40)
- Double Dragon[49] (also known as APT41, Winnti Group, Barium, or Axiom)[50][51][52]
- Dragonbridge[53]
- Hafnium[54][55]
- LightBasin[56][57] (Also known as UNC1945)
- Tropic Trooper[58][59]
- Volt Typhoon[60]
Iran
- Elfin Team (also known as APT33)
- Helix Kitten (also known as APT34)
- Charming Kitten (also known as APT35)
- Remix Kitten (also known as APT39, and ITG07, and Chafer).[61][62]
- Pioneer Kitten[63]
Israel
North Korea
- Ricochet Chollima (also known as APT37)
- Lazarus Group (also known as APT38)
- Kimsuky
Russia
- Fancy Bear (also known as APT28)
- Cozy Bear (also known as APT29)
- Berserk Bear
- FIN7
- Gamaredon[64] (also known as Primitive Bear) Шаблон:Efn
- Sandworm
- Venomous Bear[65]
Turkey
- StrongPity (also known as APT-C-41 and PROMETHIUM)[66]
United States
Uzbekistan
- SandCat, associated with the State Security Service according to Kaspersky[68]
Vietnam
- OceanLotus (also known as APT32)[69][70]
See also
- Bureau 121
- Chinese intelligence activity abroad
- Cyber spying
- Darkhotel
- Fileless malware
- Ghostnet
- Kill chain
- NetSpectre
- Operation Aurora
- Operation Shady RAT
- Proactive cyber defence
- Spear-phishing
- Spyware
- Stuxnet
- Tailored Access Operations
- Unit 180
- Unit 8200
Notes
References
Further reading
- Gartner Best Practices for Mitigating Advanced Persistent Threats
- Bell Canada, Combating Robot Networks and Their Controllers: PSTP08-0107eSec 06 May 2010 (PSTP)
- Prepare for 'post-crypto world', warns godfather of encryption
- Defence Research: The Dark Space Project APT0 Шаблон:Webarchive
- Gartner: Strategies for Dealing With Advanced Targeted Attacks
- XM Cyber: Remote file infection by an APT attack example
- Secdev, "GhostNet" was a large-scale cyber spying operation discovered in March 2009
- Secdev, "Shadows in the Cloud". A complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.
- List of Advanced Persistent Threat Groups
- FireEye: Advanced Persistent Threat Groups
- MITRE ATT&CK security community tracked Advanced Persistent Group Pages
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ 3,0 3,1 3,2 Шаблон:Cite news
- ↑ Шаблон:Cite book
- ↑ 5,0 5,1 Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite journal
- ↑ 10,0 10,1 10,2 Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite journal
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite news
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite book
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ 31,0 31,1 Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite book
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite news
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite news
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite magazine
- ↑ Шаблон:Cite news
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite web
- ↑ Шаблон:Cite news
