Making Sense of Today’s APT Groups


Adapted from SentinelOne

In recent months, there has been a marked uptick in nation-state cyber activity. Recently, we’ve learned that Chinese hackers stole information from Spanish centers working on COVID-19 vaccines. The U.S. Justice Department has indicted five Chinese nationals and two Malaysians who targeted over 100 companies, organizations and individuals in 14 countries. Three Iranian nationals have been indicted on charges of hacking U.S. aerospace and satellite companies, and APT39 has been spying on Iranian dissidents. Two additional Iranian hackers were also indicted for defacing multiple websites with pro-Iranian propaganda.

This surge in nation-state hacking activity is not a blip but a discernible trend. Attacks attributed to nation-state backed Advanced Persistent Threat (APT) groups have increased not only in terms of volume but also in scope and sophistication. The problem has been exacerbated because of COVID-19 and its impact on the global economy and international relations.

Concerns about APT groups used to be a niche topic discussed primarily by government security experts and the cybersecurity industry, but now it has reached mainstream awareness, as can be seen by statements from U.S., U.K. and other Western government officials. Most recently, Australian Defense Minister Linda Reynolds made a public statement expressing concerns that malicious cyberattacks against Australian businesses and government agencies from a state-based actor, believed to be China, had increased over the past two months.

In my personal experience with Russian ransomware authors, attacks on German, English and American private, corporate and government targets from the former Soviet Union have and will continue to be a consistent threat. Additionally, the biannual SonicWall Cyber Threat Report always shows clear evidence of these findings, since it gathers real threat data from over 1.1 million sensors located in over 215 countries and territories. What would be interesting to know is if these APT groups also fund themselves with ransomware to supplement their budgets from their government. We’ve seen this with North Korea, but the picture is unclear with Russian, Iranian and Chinese APT groups.

Making Sense of a Chaotic World

Reading all these headlines can be confusing. Who is attacking who, why and how? Let’s try to break down the different nation-state activities in cyberspace.

Sabotage – The virtual can break out into the physical when nations use cyber means to cause damage to computer systems or physical systems of other nations. Attacks on critical infrastructure have increased sharply in the last two years. Among them, a tit-for-tat between Israel and Iran: an Iranian attack on Israel’s water infrastructure led to Israeli retaliation against the port of Shahid Rajaee, a reminder — should anyone have forgotten Stuxnet — that nations are not averse to launching cyberattacks with destructive force on those they perceive as enemies.

Classic Espionage – Good old-fashioned spying is a much more common activity than sabotage. Nations have been spying on each other since forever, but today much of the old ‘spy-craft’ activities are conducted in cyberspace. Data theft is easier, cheaper and relatively risk-free when you’re behind a keyboard hacking into a server in a different country and protected by the laws and security services of your own government.

Global Political Influence – Nations have long used psyops to gain an advantage over other countries, but cyberspace has given them the means to do so on a scale that was never dreamt of before. Nations can interfere with political processes in other countries with little regard and great reward. For example, nation-state actors meddling in the Scottish independence referendum, U.K. Brexit referendum, and the U.S. 2016 and 2020 elections are well-documented.

Regional Politics – Nations also want to exert strength in cyberspace to resolve (or escalate) regional conflicts. Chinese cyberattacks on Indian entities followed a skirmish between the two nations in the mountainous border region of Ladakh that resulted in dozens of casualties. Ukrainian security services reported in 2019 that Russian-backed Gamaredon APT had repeatedly targeted Ukrainian military and law enforcement agencies and individuals. Gamaredon reportedly launched at least 482 cyberattacks against Ukrainian critical infrastructure targets in a Russian-backed campaign to pursue a proxy war in cyberspace without incurring the political fallout of an actual, boots-on-the-ground military campaign.

Industrial Espionage – Unlike “classic” espionage, this activity is specifically aimed at closing the economic gap between nations by stealing intellectual property, then using it to either copy and reproduce technology or gain other unfair commercial advantages. China has been widely accused of engaging in spying on Western businesses, government agencies and technology companies for just this purpose. For example, desiring to build its own stealth jet, the Asian superpower is believed to have stolen the proven design of the US F-35 to shorten development and “time to market.” It’s been estimated that theft of American trade secrets by China costs the U.S. somewhere in the region of $300 billion to $600 billon every year.

Crime – Some nations are under extreme financial burden, made worse by international sanctions, so they resort to cybercrime to fill their coffers. North Korea is notorious for utilizing cybercrime for such purposes, and recently launched yet another campaign aimed at stealing money from U.S. banks and ATMs. Other APT Lazarus campaigns have focused on stealing cryptocurrencies and impersonating cryptocurrency exchanges. Unlike many other APTs, Lazarus writes malware that targets macOS users, too, as Apple’s platform is increasingly used by C-suite executives and others wary of the plethora of Windows malware.

The future

Stay tuned for part two of this blog, where I discuss the future of APT groups and how we defend against them, then and now. For more information on the use of endpoint security in the defense of advanced threats, read our solution brief Fitting Endpoint Security to Your Organization.

SonicWall Staff