Advanced Persistent Threat (APT) Groups: What They Are and Where They Are Found

What are Advanced Persistent Threats?

An Advanced Persistent Threat (APT) is a malicious actor who possesses extraordinary skill and resources. This enables them to infiltrate and exfiltrate an organizations’ network. APTs use a variety of techniques, tactics, and tools—such as highly-targeted social engineering attacks, ransomware, vulnerability exploits, and zero-days to accomplish their illicit objectives.

While some threat actors work alone, multiple government authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) have linked attacks to APT groups. Several of these groups have ties to specific nation-states who use them to further their country’s interests.

How do Advanced Persistent Threat groups operate?

Advanced Persistent Threat groups, as well as those sponsored by a nation-state, aim to gain undetected access to a network. They then remain silently persistent, establish a backdoor, and/or steal data, as opposed to causing damage. Once inside the target network, APTs leverage malware to achieve their directives, which may include acquiring and exfiltrating data.

Where are APTs located?

Here is a collection of Flashpoint’s coverage of known APT groups and other state-sponsored hacking groups:

Russia: Fancy Bear, GRU, FSB, Conti, and more

Conti Ransomware: The History Behind One of the World’s Most Aggressive RaaS Groups

Led by Russian-based threat actors, the Conti ransomware variant was first observed in or around February 2020. The collective quickly became one of the most active groups in the ransomware space.

---

Killnet: Inside the World’s Most Prominent Pro-Kremlin Hacktivist Collective

Killnet has established itself as a high-visibility force within the realm of digital warfare. Known as one of the most active and ambitious pro-Kremlin hacktivist groups, Killnet’s volatility has intensified since the Russia’s invasion of Ukraine.

---

Killnet: Russian DDoS Groups Claims Attack on US Congress Website

The Russian hacktivist DDoS group “Killnet” claimed responsibility for an attack on the US Congress website. At the start of Russia’s invasion of Ukraine, Killnet declared their allegiance to the Russian government. Killnet has since continued to threaten Western countries who support the Ukraine military.

---

Killnet, Kalingrad, and Lithuania’s Transport Standoff With Russia

Russian cyber collective Killnet took responsibility for DDoS attacks on the Lithuanian government and private institutions. Killnet has declared their allegiance to the Russian government in the Russian-Ukraine war.

---

Russia Is Cracking Down on Cybercrime: Here Are the Law Enforcement Bodies Leading the Way

Flashpoint found that the domains of multiple Russian-language illicit communities were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation. Threat actors have long theorized that various cybercrime communities and groups have already been taken over by Russian law enforcement.

---

How Russia Is Isolating Its Own Cybercriminals

Russian cybercriminals have long dominated the threat landscape. This is because of the Russian government, who usually turns a blind eye to their dealings.

---

Russian APT and Ransomware Groups: Vulnerabilities and Threat Actors Who Exploit Them

Far before the Russian-Ukraine war, Ukrainian officials believed that they had already experienced multiple cyberattacks led by Russian APT groups. Although Russia has not officially claimed responsibility, Britain’s cybersecurity agency, the NCSC linked those attacks to Russia’s GRU military intelligence.

---

Assessing Threats to the Pyeongchang 2018 Winter Olympics

Olympic events have a long history of attracting cyber attacks, and Pyeongchang 2018 is no exception. The Russian APT group “Fancy Bear” leaked emails and documents from Olympic-related agencies regarding anti-doping violations.

China: CISA advisories and ties to the Chinese People’s Liberation Army

Analysis of CISA’s Advisory on Top CVEs Exploited By Chinese State-Sponsored Groups

On October 6, 2022, CISA released a joint advisory detailing the top twenty vulnerabilities being used by known Chinese APT groups and state-sponsored threat actors. Despite being mostly attributed to China, Flashpoint observed it is highly likely that they are being used by threat actors of other regions.

---

Hackers Are Still Exploiting Log4Shell Vulnerability, Warns CISA

CISA and the United States Coast Guard Cyber Command warned that nation-state hackers were still using the Log4Shell vulnerability to gain access to unpatched, internet-facing VMware Horizon and Unified Access Gateway servers.

---

China is Exploiting Network Providers and Devices, Says US Cybersecurity Advisory

CISA released an advisory detailing the commonly used CVE vulnerabilities and exploits used by Chinese state-sponsored cyber actors. Many of the CVEs are associated with network devices.

---

‘Great Cyber Power’ China and Its Influence Across APAC: 2021 Analysis and Timeline

In 2021, the Chinese government reigned in their domestic technology companies, aiming to become a great cyber power. Unsealed indictments describe Chinese nation-state actor activity—linking them to China’s civilian technology sector, using front companies to operate in the open.

---

China’s Hackers to Showcase Zero-Day Exploits at Tianfu Cup

The Chinese government forbade its country’s security researchers from competing in international hacking competitions, stating that the zero-day exploits of its citizens could “no longer be used strategically.”

Iran: MuddyWater and state-sponsored ransomware

Who’s Behind Iranian Cyber Threat Actor Group MuddyWater?

On January 12, 2022, US Cyber Command attributed the Iranian “MuddyWater” cyber threat group to Iran’s Ministry of Intelligence and Security (MOIS)—one of Iran’s premier intelligence organizations.

---

A Second Iranian State-Sponsored Ransomware Operation “Project Signal” Emerges

Flashpoint validated leaked documents indicating that Iran’s Islamic Revolutionary Guard Corps (IRGC) was operating a state-sponsored ransomware campaign through an Iranian contracting company.

---

Suspected Iranian Actors Pushing Domestic Extremists to Target US Politicians and Electoral Security Officials

Evidence perhaps shows that a disturbing online campaign under the slogan “Enemies of the People” was actually an elaborate disinformation effort carried out by hostile Iranian cyber actors.

North Korea: Specialized training and the Guardians Of Peace

Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017

South Korea’s Computer Emergency Response Team released a notice regarding an Adobe Flash vulnerability—at least one South Korean security researcher has stated that they observed North Korean threat actors using it to exploit to target South Korean entities.

---

Threat Actor Groups of the Korean-language Underground

North Korean’s cyber capabilities have been closely overseen by the North Korean government—with Kim Jong II establishing a system of education institutions to provide specialized training in the STEM disciplines.

---

A Breakdown and Analysis of the December, 2014 Sony Hack

On November 25, a group calling itself GOP or The Guardians Of Peace hacked their way into Sony Pictures, leaving the Sony network crippled for days. After many days, North Korean threat actors were linked to the prolific data breach.

Track threat actor activity with Flashpoint

There are many more APT groups located throughout the world, but understanding their general tactics helps security teams protect their networks. Attackers will use tried-and-trued methods, linking together multiple techniques that can be replicated against most organizations. The Flashpoint Intelligence Platform contains detailed Finished Intelligence reports on many more known APT groups, as well as threat actor chatter. Sign up for a free trial today.

Within the realm of digital warfare, the threat actor group known as “Killnet” has established itself as a high-visibility force. Emerging as one of the most active and ambitious pro-Kremlin hacktivist collectives, Killnet’s volatility has intensified since the onset of Russia’s invasion of Ukraine over a year ago.

While Killnet demonstrates persistence, it is also notably fickle. The group constantly seeks new avenues for expansion, evolving their tactics, and capturing attention using what they proclaim as their “army of cyber partisans” and the pro-Kremlin media eager to deliver storylines that align with the narrative of the Russian government. Alongside their pursuit of financial gain, Killnet’s notorious alignment with pro-Kremlin ideological motives has fueled their collective drive since the inception of the Russia-Ukraine conflict.

Understanding the inner workings of a prominent group like Killnet becomes vital for organizations aiming to grasp the broader cyber threat landscape. By unraveling the operations of Killnet, organizations can bolster their understanding and fortify their defenses against this evolving menace.