Attempts to define the characteristics of an Advanced Persistent Threat (APT) are often varied and describe a wide range of behaviors, capabilities, and motivations. In this exercise, we’ll look into a widely accepted definition of APT and review two well-known APTs to explore the factors that lead to their classification.
Defining an APT
Per the National Institute of Standards and Technology (NIST), a renowned source of information and network security, there are three characteristics which define an APT: repeated and continuous pursuit of specific objectives, active adaptation to measures taken meant to defend against attacks, and efficient maintenance of control mechanisms in order to execute necessary functions (NIST, 2013). This NIST definition will be used to compare and contrast the known characteristics, capabilities, motivations, and operations of two well known APT groups: APT 28 and Lazarus Group.
Introduction to the APTs – APT 28 & Lazarus Group
As cybersecurity has traversed more into the public sphere, the idea of the Advanced Persistent Threat has become more real even to those not directly involved in internet technologies (IT) or network security. From large-scale attacks such as the 2016 presidential election interference to the WannaCry ransomware attacks to smaller-scale incidents such as concerted attacks on cryptocurrency exchange markets, the actions of APTs are becoming increasingly more complicated, while the effects of these actions are becoming more wide-scale and public.
The APTs themselves are also aware of these trends and are taking measures to ensure that their operations stay efficient, effective, and difficult to defend against. Well-known threat groups, APT 28 and Lazarus Group, are defined as APTs according to the definition provided by the National Institute of Standards and Technology (NIST).
APT 28 and the Lazarus Group have conducted relatively recent large-scale cyber-attacks which fit this description of efficiency, complexity, and ability to keep pace with cybersecurity trends. APT 28, also known as Fancy Bear, Strontium, and Tsar Team, has largely been concerned with targeting critical infrastructures of enemies of the Russian government, both foreign and domestic (Mwiki, 2019).
In 2016, APT 28 perpetrated an attack against the Democratic National Committee (DNC) where threat actors intruded the DNC network, harvested sensitive information and troves of private e-mails, and leaked the data to the public. Within evidence from this intrusion, files were found which utilized Russian language settings and some files included Cyrillic text artifacts. Other crucial evidence supporting this group’s ties to Russia was the utilization of Command & Control (C2) functions which were instructed to communicate with IP addresses already associated with APT 28.
Although this evidence does not concretely define the group’s ties to the Russian government, it is unlikely that another APT was leaving this evidence behind to masquerade as APT 28, as the governments of the United States and United Kingdom have pinned APT 28 as one of the operating arms of Russia’s Main Intelligence Directorate (GRU). This claim was further asserted via the U.S. placing sanctions on the Russian government for interference in the 2016 presidential election, directly implying a relationship between APT 28 and the Kremlin.
The second APT subject of this analysis, Lazarus Group, is believed to be directly responsible for the infamous 2014 breach of Sony Pictures Entertainment and exfiltration of over one-hundred terabytes of sensitive data. Also known as Operation Blockbuster, this cyber-attack on Sony was attributed to Lazarus Group, a collection of threat actors that were already fairly well-known at the time, including their technologies, code-sharing behaviors, and alleged ties to the North Korean government.
Lazarus Group has a history of targeting several distinct industries, including military entities, governments, financial institutions, and entertainment companies. The malware used in the Sony attack had previously been associated with Lazarus Group, suggesting attack attribution relatively quickly. Other evidence that this attack was executed by Lazarus Group lies within other technical parts of the malware used to harvest and destroy data such as the encryption algorithms, data deletion protocols, and software naming schemes familiar to Lazarus Group and other related sub-groups.
Despite this evidence, though, there is still some uncertainty surrounding North Korea perpetrating this specific attack. For example, the IP addresses used for C2 communications were not previously associated with Lazarus Group, rather they were commonly known addresses utilized by a variety of threat actors. Also, some of the leaked data pertained to plans for employee downsizing and it is contested that in order to access some of the compromised data “insider knowledge” would have been needed. However, it is contended that the previously unassociated IP addresses are perhaps not the hallmark of a different actor, but rather the attempt of Lazarus Group to conceal their actions or hide their origins. Although some former employees had fallen under suspicion of assisting in the attack, the sentiments of those investigating the incident never took the blame off of Lazarus Group and, consequently, North Korea.
Analysis of APTs and their methodologies
With the definition of APTs provided by NIST, we can begin to analyze the capabilities of both APT 28 and Lazarus Group and uncover the characteristics which make them true APTs.
The first stipulation of the definition, repeated and continuous pursuit of specific objectives, applies to both APT 28 and Lazarus Group. To confirm this, a brief analysis of their attack patterns must be conducted. APT 28 attacked several entities pertaining to the Democrat political party, including the Democratic National Committee, Democratic Congressional Campaign Committee, and the Hillary Clinton presidential campaign. These successive strikes against a single United States political institution have all the necessary characteristics to satisfy the first requirement of the APT definition.
For Lazarus Group, it is believed that the primary motivations are a general collection of information as well as financial gain. Although much broader than APT 28 in their mission, these motivations bring sense to their operating strategy of attacking such a wide range of verticals on an international scale. Finding monetary successes through avenues of cybercrime makes sense for North Korea, as they have come under heavy sanctions in recent history, providing a geopolitical context for the origination of Lazarus Group’s operations. Like APT 28, an analysis of Lazarus Group’s previous attack history will satisfy the first component of the NIST definition for APTs.
Beginning back in 2007, Lazarus Group’s operations have spanned from wide-scale DDoS attacks on foreign militaries to intrusions into South Korean bank infrastructures; Lazarus Group’s history is littered with repeated attacks in pursuit of specific goals. On the technical side, both threat groups have demonstrated their use of phishing and spear-phishing techniques, granting access to user accounts and the privileges that come along with them. There is evidence to suggest that both APTs have utilized spear-phishing via malicious e-mail attachments, and malicious shortened hyperlinks disguised to appear as something different (Mwiki, 2019).
The second requirement of the NIST definition for APTs is the exhibition of active adaptation to measures taken meant to defend against attacks. This can be shown via analysis of further technical capabilities of the APTs.
For APT 28, several mechanisms are utilized which ensure evasion of defensive measures that could be deployed against attacks. Such mechanisms include creation of AutoStart extensibility points (ASEPs) and utilization of encrypted and compressed payloads (Mwiki, 2019). For further example, APT 28 is known to ensure the resiliency of their C2 infrastructure, via mechanisms such as installing loader Trojans to ensure persistence.
Likewise, in order to evade defensive measures, Lazarus Group has deployed mechanisms that are known to defeat certain security platforms such as Microsoft Windows System Event Notification & Alerter and McAfee Antivirus. Lazarus Group is also demonstrably innovative in the deletion of files. This pertains not only to information Lazarus Group is looking to remove from the victim, but also to hide traces left behind from deployment of their own malware (MITRE, n.d.).
The last stipulation for the NIST definition of APTs pertains to ensuring enough control is maintained over infected systems such that the core mission operations can still continue. For example, APT 28 is known to use bootkits and command-line interfaces in order to create new backdoors into systems, leaving them vulnerable even if the initial vulnerability is corrected. APT 28 has also demonstrated the ability to create custom cryptographic protocols for the purpose of securing and concealing C2 traffic, allowing for quick setup or alteration to C2 capabilities.
For Lazarus Group, they have developed several “fallback channels”, i.e., their C2 capabilities are often hard-coded to reach back to one of several servers, seemingly at random. Also, in the interest of maintaining control, Lazarus Group has more recently demonstrated their ability to monitor traffic and collect intelligence on a victim network, as seen in their October 2018 Operation Sharpshooter.
It is important to note that, while APTs serve as excellent case studies for understanding some of the geopolitical motivations of our adversaries, they are continuously active; always in pursuit of some very specific goal. At the time of writing this piece, Microsoft has reported that APT 28, along with other international threat groups, have ramped up their efforts to compromise the 2020 Presidential Election, specifically various accounts of those involved closely with it.
According to Microsoft, members of both the Trump and Biden campaigns have experienced coordinated attack efforts against accounts held by themselves, their staffers, and their consultants. From the available evidence, it has been determined that these groups are investing more of their resources in anonymization and automation, but more classic techniques like spear-phishing are still just as prominent. This shift in architectural investment is noteworthy, as understanding the tools an adversary chooses to utilize can inform defenders of their long-term goals.
The efforts of APTs are well-coordinated, well-funded, and always serve some larger purpose. In order to defend our critical processes against such foes, appropriate defenses must be planned for and deployed. While the actions APTs make up a small percentage of all cyber incidents that occur, their effectiveness and precision commands attention. While it is true that not all cyber attacks can be perfectly defended, understanding the mechanisms, motivations, and movements of adversarial groups like APTs help enforce and strengthen our operational defenses and overall security.
APTs are becoming more ubiquitous in the common discourse surrounding today’s cybersecurity. Because of this, it is important to distinguish between rogue actors, unfortunate cyber accidents, and actual APTs. Per the definition of APTs provided by NIST, an analysis is conducted on two suspected APT groups: APT 28, a group long thought to be an operating arm of the GRU, and Lazarus Group, a collection of actors allegedly tied to North Korea which pursues financial gains and collection of international intelligence. By analyzing the geopolitical trends surrounding these groups, the methods and technologies utilized by each group, and their recorded attack patterns, both APT 28 and Lazarus Group provably satisfy the requirements for APT consideration, outlined by the definition provided by NIST.
Mwiki, H., Mwiki, D., Raymond, K. (2019). Analysis and Triage of Advanced Hacking Groups Targeting Western Countries Critical National Infrastructure: APT28, RED October, and Regin: Theories, Methods, Tools and Technologies. doi: 10.1007/978-3-030-00024-0_12.
NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53 Rev. 4. doi: 10.6028/nist.sp.800-53r4