Dark Hotel, Crouching Yeti, Machete, Sofacy, Sandworm – what do these words have in common? They are all names given to hacker groups that have been designated by cybersecurity firms as advanced persistent threats (APTs). These groups have been appearing more often, and their ability to breach networks and cause damage has kept up with, and in many cases surpassed, the ability of cybersecurity firms to keep them out. The names given to these groups may be bizarre, but make no mistake, APTs are a significant and growing part of the cyber-threat facing businesses and governments everyday.
APTs have become the boogeymen of the cybersecurity industry, but what are they really? At their core, APTs are groups of hackers who have demonstrated an exceptionally high degree of skill, a singular focus on breaching a specific target, and the capacity to remain undetected within target networks for long periods of time.
Colin McKinty, vice president for cybersecurity strategies in the Americas for BAE, also describes these groups as having “a combination of shrewdness, perseverance and sophistication,” and this too sets them apart from other hacker groups like Anonymous.
Many APTs are believed to be state-sponsored, due to their extreme sophistication, but several are merely highly skilled criminal groups, although they too may be working for governments. Despite their origins, the overwhelming majority of APTs focus on stealing information – be it personally identifying information, financial information, or intellectual property.
However, some APTs are focused on more than just stealing information. There has always been a subset of advanced persistent threats that are oriented around causing damage directly – and there are concerns that this could become more common. One of the best examples of a well-executed APT attack is the Stuxnet worm, and it was entirely focused around damaging infrastructure. Stuxnet was used to destroy nuclear centrifuges in an Iranian research facility, and it did so without being detected until it had already caused a considerable amount of damage. Following Stuxnet, there was a profusion of APTs using damaging malware to destroy target computers. The Wiper malware, for example, was used to destroy information on computers used in Iran’s oil ministry. Shortly thereafter, the Shamoon malware, was used to disable 30 thousand computers belonging to Saudi Aramco.
Arguably the most well-known instance of a damaging APT attack occurred when Sony Pictures Entertainment was hit with a Wiper variant that destroyed a large amount of information on its systems. A recent effort from a coalition of cybersecurity firms has determined that the Sony hack was carried out by an APT entity known as the Lazarus Group. Brian Bartholomew, a Senior Security Researcher at Kaspersky Lab North America, spoke with The Cipher Brief about the Lazarus APT. Bartholomew’s concerns were focused on the implications of Lazarus’ use of damaging malware as part of their attack, and on the possibility that “ now that they have executed destructive attacks on multiple occasions, other groups may consider it a viable option in their toolbox.” If that is the case, then APTs will only become more damaging and more dangerous moving forward.
There are already signs that damaging APTs are extending their reach beyond the destruction of information. In December 2015, the Ukrainian power grid was disrupted when the Sandworm APT used BlackEnergy malware to cause a blackout that affected 225 thousand people. While Stuxnet also damaged physical infrastructure, there had been a distinct lack of any similar attacks for many years. Now, however, this kind of infrastructure-focused attacks could become the next frontier for APTs that are seeking to cause harm, rather than just stealing or deleting information.
Advanced persistent threats are unlikely to disappear anytime soon, and they will continue to grow more sophisticated and advanced. However, the cybersecurity industry is beginning to take a more coordinated approach to disrupting APTs, as seen by undertakings such as Operation Blockbuster – which helped to expose the Lazarus Group. These efforts will hopefully help to ensure that organizations are better able to detect and remediate problems caused by APTs.
Additionally, while the technical solutions meant to counter APTs are advancing, it is important not to neglect the human side of the equation as well. The vast majority of APTs are able to gain access to their targets using social engineering tactics, such as spear-phishing. By tricking employees into opening infected attachments or emails, the hackers are able to establish a beachhead inside their target’s network and begin stealing or destroying information. Therefore, it is critical to ensure that employees are well versed in good cyber-hygiene in order to help minimize the risk posed by APTs.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.