Advanced Persistent Threat (APT) Groups: What Are They and Where Are They Found?


What are Advanced Persistent Threats?

An Advanced Persistent Threat (APT) is a malicious actor that possesses exceptional skills and resources that allow it to infiltrate and exfiltrate an organization’s network. APTs use a variety of techniques, tactics, and tools—such as highly targeted social engineering attacks, ransomware, vulnerability exploits, and zero-days—to achieve their illicit goals.

While some threat actors work alone, several government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) have linked attacks to APT groups — with some having ties to specific nation-states that they use to further their country’s interests.

How do Advanced Persistent Threat groups work?

APT groups, as well as those sponsored by a nation state, often aim to gain undetected access to a network and then silently persist in setting up a backdoor and/or stealing data rather than cause harm. Once on the target network, APTs use malware to carry out their instructions, which may include data capture and exfiltration.

Where are APTs located?

Here is a collection of Flashpoint’s coverage of known APT groups and other government-sponsored hacking groups, sorted by alleged country of origin:

Russia: Fancy Bear, GRU, FSB, Conti and more

Conti Ransomware: The Story Behind One of the Most Aggressive RaaS Groups in the World

Led by Russia-based threat actors, the Conti ransomware variant was first observed in or around February 2020, and the collective quickly became one of the most active groups in the ransomware space.


Killnet: Russian DDoS groups claim attack on US Congress website

Russian DDoS hacktivist group Killnet claimed responsibility for an attack on the US Congress website. At the beginning of the Russian invasion of Ukraine, Killnet declared its allegiance to the Russian government and has since continued to threaten Western countries that support the Ukrainian military.


Killnet, Kaliningrad and Lithuania’s transport conflict with Russia

Russian cyber collective Killnet claimed responsibility for DDoS attacks on the Lithuanian government and private institutions. Killnet declared allegiance to the Russian government in the Russo-Ukrainian War.


Russia is cracking down on cybercrime. This is where law enforcement agencies lead

Flashpoint found that the domains of several Russian-speaking illegal communities were confiscated by Department K, a department of the Ministry of Internal Affairs of the Russian Federation. Threat actors have long theorized that various cybercrime communities and groups have already been taken over by Russian law enforcement agencies.


How Russia isolating its own cybercriminals

Russian cybercriminals have long dominated the threat landscape – backed by the Russian government, which has typically turned a blind eye to its business as long as its attacks target organizations outside the country.


Russian APT and Ransomware Groups: Vulnerabilities and Threat Actors Exploiting Them

Well before the Russo-Ukrainian war, Ukrainian officials believed they had already witnessed several cyberattacks led by Russian APT groups. Although Russia has not officially claimed responsibility, the British cybersecurity agency NCSC linked these attacks to the Russian military intelligence agency GRU.


Pyeongchang 2018 Winter Olympics threat assessment

Olympic events have long attracted cyberattacks, and PyeongChang 2018 is no exception. Weeks before the event, Russian APT group Fancy Bear leaked emails and documents from Olympic Games-related anti-doping violation authorities in order to tarnish the reputations of participating countries.


China: CISA consultations and liaison with the Chinese People’s Liberation Army

On October 6, 2022, CISA released a joint advisory listing the top twenty vulnerabilities used by well-known Chinese APT groups and state-sponsored threat actors. Although they are primarily attributed to China, Flashpoint found that there is a high likelihood that they will be used by threat actors from other regions.


Hackers still exploit Log4Shell vulnerability, CISA warns

CISA and the US Coast Guard Cyber ​​Command warned that national hackers are still using the Log4Shell vulnerability to gain access to unpatched, internet-facing VMware Horizon and Unified Access Gateway servers.


According to the US Cybersecurity Advisory, China is exploiting network providers and devices

CISA has published an advisory listing the commonly used CVE vulnerabilities and exploits used by state-sponsored cyber actors in China. Many of the CVEs are associated with network devices.


“Major Cyber ​​Power” China and its Influence in APAC: Analysis and Timeline 2021

In 2021, the Chinese government ruled its domestic tech companies with the goal of becoming a major cyber power. Unsealed indictments describe the activities of Chinese nation-state actors, which they associate with China’s civilian technology sector and use front companies to operate openly.


China’s hackers present zero-day exploits at the Tianfu Cup

The Chinese government banned its country’s security researchers from participating in international hacking competitions, stating that its citizens’ zero-day exploits “could no longer be used strategically.”


Iran: MuddyWater and state-sponsored ransomware

Who is behind the Iranian cyber threat actor group MuddyWater?

On January 12, 2022, the US Cyber ​​Command reassigned the Iranian cyber threat group “MuddyWater” to the Iranian Ministry of Intelligence and Security (MOIS) – one of Iran’s top intelligence organizations.


A second Iranian state-sponsored ransomware operation “Project Signal” emerges

Flashpoint validated leaked documents showing that the Iranian Islamic Revolutionary Guard Corps (IRGC) ran a state-sponsored ransomware campaign through an Iranian contractor.


Suspected Iranian actors urging domestic extremists to target US politicians and election security officials

Evidence may show that a disturbing online campaign dubbed “enemies of the people” was in fact an elaborate disinformation effort carried out by hostile Iranian cyber actors.


North Korea: Technical Training and the Keepers of the Peace

Targeted attacks against South Korean companies may have taken place as early as November 2017

South Korea’s Computer Emergency Response Team issued a note regarding an Adobe Flash vulnerability – at least one South Korean security researcher has said they observed North Korean threat actors using it to attack South Korean units.


Korean-speaking underground threat actor groups

North Korea’s cyber skills have been closely monitored by the North Korean government – with Kim Jong II establishing a system of educational institutions to offer specialized training in the STEM disciplines.


A breakdown and analysis of the December 2014 Sony hack

On November 25, a group called GOP, or The Guardians Of Peace, hacked into Sony Pictures and shut down the Sony network for days. After many days, North Korean threat actors have been linked to the prolific data breach.


Track threat actor activity with Flashpoint

There are many other APT groups around the world, but understanding their common tactics helps security teams protect their networks. Attackers use best practices and combine multiple techniques that can be replicated against most organizations. The Flashpoint Intelligence Platform contains detailed ready news reports on many other well-known APT groups, as well as chatter from threat actors. Sign up today for a free trial.


About Author

Comments are closed.