APT Attribution

Cyber Security Foundational Knowledge: Advanced Persistent Threat Attribution
Date: 23 June 2023

Executive Summary:

Advanced Persistent Threats (APTs) are sophisticated cyber attacks launched by well-funded and highly skilled threat actors with specific objectives. APTs represent a significant and persistent threat to organizations across various sectors, including government entities, corporations, and critical infrastructure. Unlike traditional cyber attacks that focus on immediate gains, APTs involve a prolonged and targeted campaign aimed at breaching an organization's defenses, establishing a presence within the network, and exfiltrating sensitive data or disrupting operations over an extended period. The following analysis sheds light on APT threat actors and the challenges associated with their attribution.

List of Known Advanced Persistent Threats (APTs) and Attributions

Well Known APTs

APT Group Attributed Origin
APT1 (Comment Crew) China
APT10 (Stone Panda) China
APT12 (Hidden Lynx) China
APT16 (Wicked Panda) China
APT17 (DeputyDog) China
APT18 (Dynamite Panda) China
APT19 (Codoso Team) China
APT28 (Fancy Bear) Russia
APT29 (Cozy Bear) Russia
APT30 (Pirates of the South China Sea) China
APT32 (OceanLotus) Vietnam
APT33 (Elfin) Iran
APT34 (OilRig) Iran
APT37 (Reaper) North Korea
APT38 (Lazarus Group) North Korea
APT39 (Chafer) Iran
APT41 (Barium) China
Axiom China
Carbanak Russia
DarkHotel Unknown, possibly South Korea
Equation Group United States (alleged)

Lesser Known APTs

APT Group Attributed Origin
Alice Unknown
AridViper Middle East
APT-C-27 China
APT-C-28 China
Astaroth Brazil
BlackTech Taiwan
Black Vine China
Bisonal North Korea
Black Vine China
Buhtrap Russia
Chafer Iran
Cobalt Group Unknown
DarkHotel Unknown
Dragonfly Unknown
Dropping Elephant China
Dust Storm Unknown
Energetic Bear Russia
Evilnum Unknown
FIN7 Unknown
Gallmaker Unknown
GCMAN Russia
Gorgon Group Unknown
GreyEnergy Unknown
Honeybee China
Inception Unknown
Ke3chang China
Lotus Blossom China
LunarSpider Unknown
Machete Latin America
MirageFox China
MuddyWater Middle East
MuddyWater Middle East
Mustang Panda China
Naikon China
Oceansalt North Korea
OilRig Iran
Poseidon Group China
RainyDay China
Silence Group Unknown
Sowbug South America
TA505 Unknown
Thrip China
Transparent Tribe Pakistan
TrickBot Russia
WildNeutron Unknown
Xenotime Unknown

The attribution of APTs is a complex and challenging process. It involves identifying and determining the origin of the threat actor responsible for orchestrating the attack. Attribution relies on a combination of technical indicators, intelligence gathering, and analysis of tactics, techniques, and procedures (TTPs) used by the APT group.

Key elements used in the attribution process include:

  • Technical Indicators:

    Analysis of malware samples, network traffic patterns, and infrastructure used in the attack provides crucial evidence in determining the source of the APT. These indicators may include unique code signatures, language preferences, or specific tools and techniques associated with a particular threat actor or group.

  • Intelligence Gathering:

    Collaboration with intelligence agencies, industry partners, and security researchers is essential in gathering information on APT groups. Intelligence reports, threat intelligence feeds, and open-source intelligence (OSINT) contribute to the attribution process by providing insights into the activities, motivations, and historical behavior of known APT actors.

  • TTP Analysis:

    APT groups often exhibit distinct TTPs, which can reveal patterns and similarities across multiple attacks. Analyzing these tactics, such as specific exploitation techniques, command and control infrastructure, or social engineering methods, assists in linking attacks to known APT groups or threat actors.

  • Human Intelligence:

    Human intelligence sources, such as insiders, informants, or infiltrated agents, can provide valuable information regarding the identity or affiliations of APT actors. This intelligence is often combined with technical analysis to strengthen attribution efforts.

Despite these methodologies, achieving definitive attribution for APTs is challenging due to the constant evolution of threat actor techniques, the use of false flags, and the potential involvement of nation-states or state-sponsored actors. Attribution is often assessed with varying degrees of confidence, acknowledging the limitations and uncertainties inherent in the process./

To mitigate the impact of APTs, organizations must focus on robust cybersecurity measures, including threat intelligence programs, network monitoring, employee awareness training, and proactive incident response capabilities. By staying informed about APT activities and adopting a comprehensive defense strategy, organizations can enhance their resilience against these persistent and highly skilled adversaries.