Industry Perspectives Blog

Rise of the Rest: APT Groups No Longer from Just China and Russia

While Russia and China remain atop the list of the most sophisticated cyber adversaries, FireEye has been observing an uptick in the number of state-sponsored cyber espionage campaigns from other countries. In fact, May 2017 marked the first time that FireEye announced an advanced persistent threat (APT) group attributed to a country other than Russia and China. That country was Vietnam, which previously was not considered a sophisticated actor, and the group is known today as APT32.

Since then, we have designated groups from multiple other countries as an APT. The APT label signifies that we have an in-depth knowledge of their attack lifecycle and high confidence that they are associated with a country’s government. For example, we had been tracking TEMP.Reaper, an espionage group we assess is carrying out activity on behalf of the North Korean government, for three years before we upgraded the group to APT37 in February 2018.

The asymmetric nature of cyber warfare is attractive to many emerging countries. Improving cyber capabilities is often more cost effective than other traditional defensive or offensive measures. In addition, they have nothing to gain by sitting out of the cyber arms race, since that does not inoculate them from being targeted.

As an example, the catalyst for Iran improving its cyber capabilities was the 2010 discovery of the Stuxnet worm that damaged Iran's nuclear facilities, the first discovered malware that subverts industrial control systems. While Iran still lags behind the global cyber superpowers in terms of sophistication, it has since made developing offensive cyber threat capabilities a high priority and considers cyber threat activity to exemplify Iran's asymmetric warfare doctrine.

Nations across the globe are putting a premium on improving their cyber capabilities, and there are many ways they can do so. There are numerous cyber surveillance tools for purchase, knowledgeable cyber crime communities worldwide that governments may be able to collaborate with or coerce, and technically savvy people looking for stable jobs who can be hired to develop in-house tools. Vietnam’s APT32, for example, uses a unique, customized suite of fully-featured malware along with commercially-available tools.

Governments do not confine their targeting to other governments. FireEye has seen government-sponsored cyber actors seek to steal intellectual property, conduct economic espionage during international business or investment deals, opportunistically monitor the communications of executives who are traveling within the country, and pre-position themselves on corporate networks within non-allied nations, likely to cause damage in case geopolitical tensions increase. Therefore, neither public nor private sector organizations are immune to cyber risk, and no country’s cyber capabilities can be safely dismissed.

To hear more about the emergence of these cyber adversaries from other countries, attend the MISTI APT e-Summit on May 3, and join me, FireEye Executive Briefer Sarah Geary, as I present the webinar: Rise of the Rest: APT Groups No Longer From Just China and Russia. I look forward to seeing you there!