APT Attribution
Cyber Security Foundational Knowledge: Advanced Persistent Threat Attribution
Date: 23 June 2023
Executive Summary:
Advanced Persistent Threats (APTs) are sophisticated cyber attacks launched by well-funded and highly skilled threat actors with specific objectives. APTs represent a significant and persistent threat to organizations across various sectors, including government entities, corporations, and critical infrastructure. Unlike traditional cyber attacks that focus on immediate gains, APTs involve a prolonged and targeted campaign aimed at breaching an organization's defenses, establishing a presence within the network, and exfiltrating sensitive data or disrupting operations over an extended period. The following analysis sheds light on APT threat actors and the challenges associated with their attribution.
List of Known Advanced Persistent Threats (APTs) and Attributions
Well Known APTs
| APT Group | Attributed Origin |
|---|---|
| APT1 (Comment Crew) | China |
| APT10 (Stone Panda) | China |
| APT12 (Hidden Lynx) | China |
| APT16 (Wicked Panda) | China |
| APT17 (DeputyDog) | China |
| APT18 (Dynamite Panda) | China |
| APT19 (Codoso Team) | China |
| APT28 (Fancy Bear) | Russia |
| APT29 (Cozy Bear) | Russia |
| APT30 (Pirates of the South China Sea) | China |
| APT32 (OceanLotus) | Vietnam |
| APT33 (Elfin) | Iran |
| APT34 (OilRig) | Iran |
| APT37 (Reaper) | North Korea |
| APT38 (Lazarus Group) | North Korea |
| APT39 (Chafer) | Iran |
| APT41 (Barium) | China |
| Axiom | China |
| Carbanak | Russia |
| DarkHotel | Unknown, possibly South Korea |
| Equation Group | United States (alleged) |
Lesser Known APTs
| APT Group | Attributed Origin |
|---|---|
| Alice | Unknown |
| AridViper | Middle East |
| APT-C-27 | China |
| APT-C-28 | China |
| Astaroth | Brazil |
| BlackTech | Taiwan |
| Black Vine | China |
| Bisonal | North Korea |
| Black Vine | China |
| Buhtrap | Russia |
| Chafer | Iran |
| Cobalt Group | Unknown |
| DarkHotel | Unknown |
| Dragonfly | Unknown |
| Dropping Elephant | China |
| Dust Storm | Unknown |
| Energetic Bear | Russia |
| Evilnum | Unknown |
| FIN7 | Unknown |
| Gallmaker | Unknown |
| GCMAN | Russia |
| Gorgon Group | Unknown |
| GreyEnergy | Unknown |
| Honeybee | China |
| Inception | Unknown |
| Ke3chang | China |
| Lotus Blossom | China |
| LunarSpider | Unknown |
| Machete | Latin America |
| MirageFox | China |
| MuddyWater | Middle East |
| MuddyWater | Middle East |
| Mustang Panda | China |
| Naikon | China |
| Oceansalt | North Korea |
| OilRig | Iran |
| Poseidon Group | China |
| RainyDay | China |
| Silence Group | Unknown |
| Sowbug | South America |
| TA505 | Unknown |
| Thrip | China |
| Transparent Tribe | Pakistan |
| TrickBot | Russia |
| WildNeutron | Unknown |
| Xenotime | Unknown |
The attribution of APTs is a complex and challenging process. It involves identifying and determining the origin of the threat actor responsible for orchestrating the attack. Attribution relies on a combination of technical indicators, intelligence gathering, and analysis of tactics, techniques, and procedures (TTPs) used by the APT group.
Key elements used in the attribution process include:
- Technical Indicators:
Analysis of malware samples, network traffic patterns, and infrastructure used in the attack provides crucial evidence in determining the source of the APT. These indicators may include unique code signatures, language preferences, or specific tools and techniques associated with a particular threat actor or group.
- Intelligence Gathering:
Collaboration with intelligence agencies, industry partners, and security researchers is essential in gathering information on APT groups. Intelligence reports, threat intelligence feeds, and open-source intelligence (OSINT) contribute to the attribution process by providing insights into the activities, motivations, and historical behavior of known APT actors.
- TTP Analysis:
APT groups often exhibit distinct TTPs, which can reveal patterns and similarities across multiple attacks. Analyzing these tactics, such as specific exploitation techniques, command and control infrastructure, or social engineering methods, assists in linking attacks to known APT groups or threat actors.
- Human Intelligence:
Human intelligence sources, such as insiders, informants, or infiltrated agents, can provide valuable information regarding the identity or affiliations of APT actors. This intelligence is often combined with technical analysis to strengthen attribution efforts.
Despite these methodologies, achieving definitive attribution for APTs is challenging due to the constant evolution of threat actor techniques, the use of false flags, and the potential involvement of nation-states or state-sponsored actors. Attribution is often assessed with varying degrees of confidence, acknowledging the limitations and uncertainties inherent in the process./
To mitigate the impact of APTs, organizations must focus on robust cybersecurity measures, including threat intelligence programs, network monitoring, employee awareness training, and proactive incident response capabilities. By staying informed about APT activities and adopting a comprehensive defense strategy, organizations can enhance their resilience against these persistent and highly skilled adversaries.