This blog post explores the identification of APT (Advanced Persistent Threat) Groups and their attribution in cyber-attacks. Furthermore, it delves into the intriguing scarcity of groups originating from Western countries.

An Advanced Persistent Threat (APT) can be defined as a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target. APTs are intricate, methodically designed and executed by expert cyber criminals, often sponsored or backed by nation-states or criminal organizations. These threat actors stealthily infiltrate a network to steal or manipulate data over an extended period, remaining undetected by standard security measures. Technological vigilance and robust preventive security measures are critical in thwarting these sophisticated threats. AV-Comparatives regularaly perfoms testing against such attacks.

Understanding APT Groups

APT stands for Advanced Persistent Threat, with APT Groups being the entities accountable for initiating these threats and the subsequent cyber-attacks. These groups are occasionally synonymous with Cyber Threat Actors. APT groups are usually organized criminals. Those groups include individuals, informally affiliated collectives, or substantial, well-structured organizations backed by considerable resources, sometimes including potential state sponsorship. The motivations driving these groups are diverse, primarily falling into three categories: nation-state operatives, cybercriminal syndicates, and ideologically driven factions.

Categorization and Identification of APT Groups

Frequently, these groups target similar entities or employ recurring methodologies, enabling researchers to attribute attacks to specific groups. As attackers typically strive to maintain anonymity, pinpointing an attack’s origin and discerning its exact motives can be a complex endeavour. The process of unravelling the enigma of an attack’s purpose and its responsible actors may extend over months or even years, and in some instances, achieving absolute certainty remains elusive.

As previously noted, three primary categories encompass these groups: nation-state actors, cybercriminal syndicates, and those propelled by ideological motives, including hacktivists and terrorists. Cybercriminals pursue acquiring valuable data or direct monetary theft via digital avenues, employing tactics such as mass scams, phishing emails, establishing criminal infrastructures like botnets, and precision strikes on high-value targets. Nation-state actors serve the interests of their respective countries, engaging in endeavours such as intelligence gathering, sabotage, and disinformation campaigns. Another subset consists of thrill-seekers who aim to assess system security and demonstrate their skills. The final APT group consists of corporations involved in corporate espionage or competitive sabotage.

While nation-state attacks tend to garner greater media attention, cybercriminals pose a more prevalent risk to individuals and corporate entities.

Naming Conventions in Threat Actor Attribution

Diverse research entities adopt varying naming conventions when identifying uncovered threat actors. These conventions may draw from factors such as attack motivations, methodologies employed, or the perceived country of origin.

One nomenclature system employs attack types followed by numerals, wherein APT (Advanced Persistent Threat) serves as a generic designation, FIN designates financially incentivized groups, TEMP is allocated for transient threats, and UNC denotes uncategorized threat actors. Some research institutions utilize animals or mythical creatures tied to distinct countries or motivations. Microsoft has recently embraced a fresh nomenclature, utilizing weather phenomena such as Typhoon or Sandstorm to designate groups associated with specific countries or sectors.

This variation can result in the same attack group being independently discovered and bestowed disparate titles by separate research bodies. AV-Comparatives exclusively adheres to the nomenclature used on the MITRE ATT&CK group page to mitigate potential confusion. Below, we provide a compilation of the 138 APT Groups that they list as of August 1st, 2023. Our attribution details extend from other laboratories, and personal guesses of individual researchers in instances where MITRE offers no attribution or alternative sources present more comprehensive insights. Acknowledging that attribution remains a complex endeavour, inherently fraught with uncertainty is essential. Threat actors actively endeavour to obfuscate their identity, employing tactics such as false leads to misguide investigators or mimicking methods utilized by other groups. Erroneous attribution of the source of a cyber-attack can have far-reaching repercussions, from diplomatic strains to unintended escalations in conflicts. Consequently, we cannot assert the infallibility of attribution accuracy, as our role entails relaying information collated by external sources.

APT Groups and Countries of Origin

The following map displays the countries from which APT Groups originate. This visual representation underscores the operational presence of these groups across every populated continent.

The chart below presents the leading countries ranked by the count of state-affiliated APT groups listed in the MITRE list, accompanied by the tally of non-state-affiliated APT groups within each nation.

Exploration and Identification of APT Groups

Cybersecurity research and the discernment of APT Groups are undertakings shared by governmental bodies and private enterprises. Security vendors occupy a distinctive vantage point, enabling them to surveil the threats their clients encounter. This grants them unparalleled insight into the global threat landscape, empowering them not only to respond to emerging threats but also to study overarching trends in cybersecurity. In contrast, government agencies predominantly concentrate on safeguarding critical infrastructure and attributing cybersecurity assaults, driven by motivations encompassing political considerations and potential financial reprisals. Furthermore, there exists a realm of independent research collectives that meticulously assemble catalogues of cyber threat actors.

The View from the Other Side – a Notable Absence

Upon examining the roster of threat actors, a conspicuous pattern emerges: a notable absence of European and American entities. A striking revelation surfaces, with nearly half of the state-affiliated groups traced back to China. Specifically, most of these attacks originate in China, often targeting the United States. The Council on Foreign Relations, headquartered in the United States, underscores the pronounced media and research spotlight on attacks linked to nation-states, regardless of the targets. Their studies underscore that a significant portion of state-sponsored cyber threat actors emanate from China, Russia, Iran, and North Korea.

The divergence between European research groups and their American counterparts becomes evident when dissecting the attribution landscape. European entities, reliant upon United States intelligence sharing and employing elevated standards for attribution, encounter fewer instances of assigning cyber threats to American origins. This trajectory aligns with governmental focus, prioritizing the exploration of attackers targeting their own interests rather than those targeting adversaries. Furthermore, the five-eyes alliance demonstrates adept coordination in “naming and shaming” foreign threat actors, a strategy that has historically been less embraced by non-Western nations following revelations of cyber-attacks from Western sources .

An additional dimension of investigation involves the media’s response to USA-initiated attacks on Europe or other Western nations. Prominent cases, such as the revelations by Edward Snowden, show the United States as likely the most advanced and active threat actor operating across the globe , not making a halt to spy also on its allies . Rewterz, who operate beyond EU and US-boundaries, has published Threat Intelligence, claiming that cyber-attacks stem from both the United States and Europe . The data in the table below from Rewterz highlights the USA as a top cyber-attack origin. This differs from group compositions done by Western countries, which mainly attribute attacks to China, Russia, and Iran.

While instances of United States-initiated cyber-attacks targeting other nations certainly exist, they frequently remain relegated to lesser media attention . Moreover, data biases contribute to this scenario, as Western cybersecurity firms encounter fewer clients in non-Western regions where they could potentially unveil attacks by Western actors.

In collective accord, this confluence of factors elucidates the perception that a disproportionate majority of cyber-attacks spring from beyond Western borders.

Safeguarding Against APT Groups

With APT groups actively generating cyber threats across the globe, it’s essential to prioritize personal defence. Strengthening your digital security using reliable software becomes a strategic requirement. AV-Comparatives, a leader in cybersecurity assessment, rigorously evaluates security products through, e.g. its Advanced Threat Protection Tests and Endpoint Prevention & Response Tests. These meticulous evaluations aim to assess the effectiveness of these products in creating robust defences against targeted attacks and complex intrusions orchestrated by APT entities.