Mandiant---APT

notes on Article

APT groups are sophisticated threat actors, often associated with nation-states or highly organized cybercriminal organizations, who conduct long-term cyber espionage campaigns against specific targets. Here's some common information you might find on APT groups:

1. Group Names: APT groups are typically identified by code names assigned by security researchers or government agencies. Examples include APT28 (Fancy Bear), APT29 (Cozy Bear), APT33 (Elfin), and many others.

2. Attribution: Attribution of APT activities can be challenging and often involves a combination of technical analysis, intelligence gathering, and geopolitical context. Security researchers and government agencies may publish reports attributing specific cyber attacks to APT groups.

3. Tactics, Techniques, and Procedures (TTPs): Each APT group has its own set of tactics, techniques, and procedures (TTPs) that they use to conduct cyber espionage campaigns. These may include spear-phishing attacks, zero-day exploits, malware deployment, lateral movement, and data exfiltration.

4. Targets: APT groups target a wide range of organizations and industries based on their objectives, capabilities, and geopolitical interests. Common targets include government agencies, defense contractors, financial institutions, technology companies, and critical infrastructure providers.

5. Motivations: APT groups may have various motivations for their cyber activities, including espionage, intellectual property theft, financial gain, sabotage, or ideological reasons.

6. Geopolitical Context: APT activities are often influenced by geopolitical factors, including international conflicts, regional tensions, and economic interests. Understanding the geopolitical context can provide insights into the objectives and targets of APT groups.

7. Tools and Infrastructure: APT groups use a variety of tools and infrastructure to conduct their cyber espionage campaigns. These may include custom-developed malware, publicly available hacking tools, command-and-control (C2) servers, and compromised infrastructure.

8. Mitigation and Defense: Organizations can mitigate the risk posed by APT groups by implementing various cybersecurity measures, including network segmentation, endpoint detection and response (EDR), intrusion detection systems (IDS), threat intelligence sharing, and employee security

Summary of various Advanced Persistent Threat (APT) groups:

1. APT39:

   • Suspected Attribution: Iran
   • Target Sectors: Telecommunications, travel industry, IT firms, high-tech industry
   • Overview: Focuses on monitoring, tracking, or surveillance operations, collecting proprietary or customer data, and potentially collecting geopolitical data.

2. APT35:

   • Suspected Attribution: Iran
   • Target Sectors: Military, diplomatic, government personnel, media, energy, defense industrial base, engineering, business services, telecommunications
   • Overview: Conducts long-term, resource-intensive operations to collect strategic intelligence, utilizing marginally sophisticated tools and complex social engineering efforts.

3. APT34:

   • Suspected Attribution: Iran
   • Target Sectors: Financial, government, energy, chemical, telecommunications
   • Overview: Engaged in cyber espionage focused on reconnaissance efforts to benefit Iranian nation-state interests, operational since at least 2014.

4. APT33:

   • Suspected Attribution: Iran
   • Target Sectors: Aerospace, energy
   • Overview: Targets organizations in the U.S., Saudi Arabia, and South Korea, particularly interested in the aviation sector and organizations in the energy sector with ties to petrochemical production.

5. APT41:

   • Suspected Attribution: China
   • Target Sectors: Healthcare, telecoms, high-tech sector, video game industry, higher education, travel services, news/media firms
   • Overview: Prolific cyber threat group conducting Chinese state-sponsored espionage activity, financially motivated activity, and cyber crime intrusions.

6. APT40:

   • Suspected Attribution: China
   • Target Sectors: Countries strategically important to the Belt and Road Initiative, engineering, defense, maritime, aviation, chemicals, research/education, government, technology
   • Overview: Targets global organizations, especially those involved in engineering and defense, conducting cyber espionage operations aligned with China's naval modernization efforts.

7. APT31:

   • Suspected Attribution: China
   • Target Sectors: Government, international financial organizations, aerospace and defense, high tech, construction and engineering, telecommunications, media, insurance
   • Overview: Focuses on obtaining information for political, economic, and military advantages for the Chinese government and state-owned enterprises.

8. APT30:

   • Suspected Attribution: China
   • Target Sectors: Members of the Association of Southeast Asian Nations (ASEAN)
   • Overview: Known for sustained activity since at least 2005, adept at modifying and adapting source code, and has the capability to infect air-gapped networks.
   • Associated Malware: SHIPSHAPE, SPACESHIP, FLASHFLOOD
   • Attack Vectors: Uses a suite of tools including downloaders, backdoors, and components designed to infect removable drives and cross air-gapped networks.

9. APT27:

   • Suspected Attribution: China
   • Target Sectors: Various industries globally, with a notable presence in aerospace and transport or travel industries
   • Overview: Engages in cyber operations focused on intellectual property theft, particularly targeting data and projects that make organizations competitive within their fields.
   • Associated Malware: PANDORA, SOGU, ZXSHELL, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT
   • Attack Vectors: Primarily uses spear phishing as its initial compromise method, may exploit zero-day exploits once public, and may compromise vulnerable web applications.

10. APT26:

    • Suspected Attribution: China
    • Target Sectors: Aerospace, Defense, Energy, among others
    • Overview: Engages in cyber operations focused on intellectual property theft, particularly targeting data and projects that make organizations competitive within their fields.
    • Associated Malware: SOGU, HTRAN, POSTSIZE, TWOCHAINS, BEACON
    • Attack Vectors: Frequently uses strategic web compromises to gain access to target networks and deploys custom backdoors.

11. APT25:

    • Suspected Attribution: China
    • Target Sectors: Defense industrial base, media, financial services, transportation
    • Overview: Engages in cyber operations focused on data theft.
    • Associated Malware: LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, SABERTOOTH
    • Attack Vectors: Historically uses spear phishing with malicious attachments or links, may leverage zero-day exploits once public.

12. APT24:

    • Suspected Attribution: China
    • Target Sectors: Government, healthcare, construction, engineering, mining, nonprofit, telecommunications
    • Overview: Targets organizations worldwide, focusing on data with political significance, likely monitoring nation-state positions on issues applicable to China.
    • Associated Malware: PITTYTIGER, ENFAL, TAIDOOR
    • Attack Vectors: Uses phishing emails with themes related to military, renewable energy, or business strategy as lures.

13. APT23:

    • Suspected Attribution: China
    • Target Sectors: Media and government in the U.S. and the Philippines
    • Overview: Focuses on stealing information with political and military significance rather than intellectual property, likely supporting traditional espionage operations.
    • Associated Malware: NONGMIN
    • Attack Vectors: Uses spear phishing messages, including education-related lures, and leverages zero-day exploits once public.

14. APT22:

    • Suspected Attribution: China
    • Target Sectors: Political, military, economic entities in East Asia, Europe, U.S.
    • Overview: Operational since at least early 2014, targeting public and private sector entities, including dissidents.
    • Associated Malware: PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, LOGJAM
    • Attack Vectors: Utilizes strategic web compromises and exploits vulnerable public-facing web servers to gain access.

    Here's a summary of additional Advanced Persistent Threat (APT) groups:

15. APT21 (Zhenbao):

    • Suspected Attribution: China
    • Target Sectors: Government
    • Overview: Uses strategic Russian-language attachments themed with national security issues to target state security information in Russia, also focuses on dissident groups seeking greater autonomy from China.
    • Associated Malware: SOGU, TEMPFUN, Gh0st, TRAVELNET, HOMEUNIX, ZEROTWO
    • Attack Vectors: Primarily uses spear phishing emails, strategic web compromises, and custom backdoors.

16. APT20 (Twivy):

    • Suspected Attribution: China
    • Target Sectors: Construction, engineering, healthcare, non-profit, defense, chemical research
    • Overview: Engages in data theft operations, likely freelancer group with some nation-state sponsorship, interested in stealing data from individuals with political interests.
    • Associated Malware: QIAC, SOGU, Gh0st, ZXSHELL, Poison Ivy, BEACON, HOMEUNIX, STEW
    • Attack Vectors: Utilizes strategic web compromises, particularly targeting websites dealing with democracy, human rights, and other sensitive issues.

17. APT19 (Codoso Team):

    • Suspected Attribution: China
    • Target Sectors: Legal, investment
    • Overview: Likely composed of freelancers with some Chinese government sponsorship, engaged in data theft operations.
    • Associated Malware: BEACON, COBALTSTRIKE
    • Attack Vectors: Utilizes phishing lures with malicious attachments, leverages known vulnerabilities, such as CVE 2017-0199.

18. APT18 (Wekby):

    • Suspected Attribution: China
    • Target Sectors: Aerospace, defense, education, healthcare, high tech, telecommunications, transportation
    • Overview: Limited public information, known to develop or adapt zero-day exploits and use data from Hacking Team leaks.
    • Associated Malware: Gh0st RAT
    • Attack Vectors: Develops or adapts zero-day exploits, uses strategic web compromises.

19. APT17 (Tailgator Team, Deputy Dog):

    • Suspected Attribution: China
    • Target Sectors: U.S. government, international law firms, IT companies
    • Overview: Conducts network intrusions against targeted organizations, uses encoded CnC in forums to obscure location.
    • Associated Malware: BLACKCOFFEE
    • Attack Vectors: Uses encoded CnC in forums, difficult to determine true location.

20. APT16:

    • Suspected Attribution: China
    • Target Sectors: Japanese and Taiwanese organizations in high-tech, government, media, financial services
    • Overview: Concerned with Taiwan political and journalistic matters, utilizes spear phishing and strategic web compromises.
    • Associated Malware: IRONHALO, ELMER
    • Attack Vectors: Uses spear phishing emails targeting Taiwanese media organizations, strategic web compromises.

21. APT15:

    • Suspected Attribution: China
    • Target Sectors: Global trade, economic, financial, energy, military sectors
    • Overview: Targets global organizations, shares resources with other Chinese APTs, utilizes well-developed spear phishing emails.
    • Associated Malware: ENFAL, BALDEAGLE, NOISEMAKER, MIRAGE
    • Attack Vectors: Uses spear phishing emails, backdoors, and infrastructure shared with other APT groups.

22. APT14:

    • Suspected Attribution: China
    • Target Sectors: Government, telecommunications, construction, engineering
    • Overview: Engages in data theft operations, possibly focusing on military and maritime equipment and operations, uses phishing emails and custom SMTP mailer tool.
    • Associated Malware: Gh0st, POISONIVY, CLUBSEAT, GROOVY
    • Attack Vectors: Uses phishing emails, crafted to appear from trusted organizations, and may leverage zero-day exploits.

23. APT12 (Calc Team):

    • Suspected Attribution: China
    • Target Sectors: Journalists, government, defense industrial base
    • Overview: Thought to have links to the Chinese People's Liberation Army, targets consistent with PRC goals, conducts intrusions in-line with PRC interests in Taiwan.
    • Associated Malware: RIPTIDE, HIGHTIDE, THREBYTE, WATERSPOUT
    • Attack Vectors: Utilizes phishing emails from compromised accounts as malware delivery method.

24. APT10 (Menupass Team):

    • Suspected Attribution: China
    • Target Sectors: Construction, aerospace, telecom, governments (US, Europe, Japan)
    • Overview: Chinese cyber espionage group targeting various sectors for national security goals and acquiring valuable intelligence.
    • Associated Malware: HAYMAKER, SNUGRIDE, BUGJUICE, QUASARRAT
    • Attack Vectors: Utilizes traditional spear phishing and access through managed service providers.

25. APT9:

    • Suspected Attribution: Freelancer group with some nation-state sponsorship, possibly China
    • Target Sectors: Multiple countries, healthcare, pharmaceuticals, construction, aerospace, defense
    • Overview: Engages in data theft, focusing on competitive data within targeted fields.
    • Associated Malware: SOGU, HOMEUNIX, PHOTO, FUNRUN, Gh0st, ZXSHELL
    • Attack Vectors: Utilizes spear phishing, access through remote services, and backdoors.

26. APT8:

    • Suspected Attribution: China
    • Target Sectors: Media, entertainment, construction, aerospace, defense
    • Overview: Engages in intellectual property theft, targets organizations in various countries.
    • Associated Malware: HASH, FLYZAP, GOLFPRO, SAFEPUTT
    • Attack Vectors: Utilizes spear phishing emails, exploits vulnerable web servers, and malicious links via chat programs.

27. APT7:

    • Suspected Attribution: China
    • Target Sectors: Construction, aerospace, defense
    • Overview: Engages in intellectual property theft, targeting organizations in the U.S. and U.K.
    • Associated Malware: DIGDUG, TRACKS
    • Attack Vectors: Uses lateral movement within corporate parent organizations as initial compromise method.

28. APT6:

    • Suspected Attribution: China
    • Target Sectors: Transportation, automotive, telecommunications, electronics
    • Overview: Engages in data theft, targeting organizations in the U.S. and U.K.
    • Associated Malware: BELUGA, EXCHAIN, PUPTENT
    • Attack Vectors: Utilizes custom backdoors, including those used by other APT groups.

29. APT5:

    • Suspected Attribution: China
    • Target Sectors: Regional telecommunications, high-tech manufacturing, military technology
    • Overview: Active since 2007, targets information about satellite communications and military technology.
    • Associated Malware: Various, including BRIGHTCREST, SWEETCOLA, SPIRITBOX
    • Attack Vectors: Utilizes malware with keylogging capabilities, targets telecommunication companies' networks.

30. APT4:

    • Suspected Attribution: China
    • Target Sectors: Aerospace, defense, electronics, automotive, government
    • Overview: Focuses on intellectual property theft, particularly defense-related data.
    • Associated Malware: GETKYS, LIFESAVER, CCHIP, SHYLILT
    • Attack Vectors: Utilizes spear phishing emails with themes related to government or defense.

31. APT3 (UPS Team):

    • Suspected Attribution: China
    • Target Sectors: Aerospace, construction, high tech, telecommunications
    • Overview: Sophisticated threat group using browser-based exploits as zero-days.
    • Associated Malware: SHOTPUT, COOKIECUTTER, SOGU
    • Attack Vectors: Deploys spear phishing emails and exploits vulnerabilities in Adobe Flash and Hangul Word Processor.

32. APT2:

    • Suspected Attribution: China
    • Target Sectors: Military, aerospace
    • Overview: Engages in intellectual property theft, targeting competitive data.
    • Associated Malware: MOOSE, WARP
    • Attack Vectors: Uses spear phishing emails exploiting CVE-2012-0158.

33. APT1 (Unit 61398, Comment Crew):

    • Suspected Attribution: China (PLA General Staff Department)
    • Target Sectors: Various industries, including IT, aerospace, public administration
    • Overview: Large-scale theft of data from numerous organizations, uses spear phishing as primary method.
    • Associated Malware: Various, including TROJAN.ECLTYS, BACKDOOR.BARKIOFORK
    • Attack Vectors: Deploys spear phishing emails with malicious attachments or links.

34. APT38:

    • Suspected Attribution: North Korea
    • Target Sectors: Financial institutions worldwide
    • Overview: Responsible for large cyber heists, distinct from other North Korean cyber activity.
    • Associated Malware: Various custom malware for financial theft.
    • Attack Vectors: Targets financial institutions, aggressive in destroying evidence.

35. APT37:

    • Suspected Attribution: North Korea
    • Target Sectors: Primarily South Korea, various industries including chemicals, electronics, healthcare.
    • Overview: Expanding in scope and sophistication, uses zero-day vulnerabilities and wiper malware.
    • Associated Malware: Diverse suite of malware for intrusion and exfiltration.
    • Attack Vectors: Utilizes social engineering tactics, strategic web compromises, and exploits vulnerabilities.

36. APT28 (Tsar Team):

    • Suspected Attribution: Russian government
    • Target Sectors: The Caucasus, eastern European countries, NATO, defense firms
    • Overview: Collects intelligence on defense and geopolitical issues, receives resources from the Russian government.

• Associated Malware: CHOPSTICK, SOURFACE
  • Attack Vectors: Uses spear phishing emails and exploits vulnerabilities in various software.

These APT groups demonstrate the diverse landscape of state-sponsored and freelance cyber threats targeting various sectors for espionage, intellectual property theft, and other malicious activities.